Certification Provider: PaloaltoExam: Paloalto Certified Network Security ConsultantExam Code: PCNSCTotal Question: 60Question per Quiz: 50Updated On: 12 April 2025Note: In order to practice all the Q/A's, you have to practice multiple time. Question's and Answer's will be presented randomly and will help you get hands-on for real exam. 1. A URL is categorized as both health-and-medicine and abused-drugs. ... Which two actions will be taken when this URL is visited? (Choose two.) continue allow log block 2. When creating a custom application signature, which field allows you to specify the layer 7 protocol details to match? Signature ID Application Protocol Decoder Pattern Match None 3. Which three steps must admin perform to load only objects from PANOS saved config file into VM-300 firewall that is in production? (Choose 3) use load config partial command enter config mode from CLI use device config import in panorama import names config snapshot through web interface Load config in web interface and commit 4. Examine the configured Security policy rule. Which day one/Iron Skillet Security Profile Group is used to secure the traffic that is permitted through this rule? Inbound Outbound Default Internal None 5. What is the preferred method for gathering User-ID mappings from Citrix VDI servers? GlobalProtect with an internal gateway Agentless Server Monitoring The Windows User-ID agent The Terminal Services agent None 6. Which of the following is a primary use case for the Decryption Broker feature? Sharing decrypted traffic with multiple security appliances Managing multiple decryption rules Decrypting outbound SSL traffic Aggregating traffic logs from different sources None 7. Your customer has asked you to set up tunnel monitoring on an IPSEC VPN tunnel between two offices. What three steps are needed to setup tunnel monitoring? (Choose three) Restart each IPSEC tunnel Create a monitoring profile Enable tunnel monitoring on each IPsec tunnel Add and IP address to each tunnel interface Restart each IKE gateway 8. A customer’s Palo Alto Networks NGFW currently has only one security policy allowing all traffic. They have identified that this is a substantial security risk and have heard that the Expedition tool can help them extract security policies from an “allow any” rule. What should the consultant say about Expedition? Live firewall traffic can be viewed on Expedition when connected to a firewall, and Expedition can automatically create and push policies to the firewall. The log flies can be viewed on Expedition, and right-clicking a log entry gives the option to create security policy from the log entry. By using the Machine Learning feature, Expedition can parse the traffic log files related to the policy and extract security rules for matching traffic. Expedition cannot parse log files and therefore cannot be used for this purpose. None 9. An administrator has been asked to configure active/active HA for a pair of Palo Alto Networks NGFWs. The firewalls use layer 3 interface to send traffic to a single gateway IP for the pair. Which configuration will enable this HA scenario? The firewall do not use floating IPs in active/active The two firewalls will share a single floating IP and will use gratuitous ARP to share the floating IP Each firewall will have a separate floating IP. and priority will determine which firewall has the primary IP The firewalls will share the same interface IP address, and device 1 will use the floating IP if device 0 fails. None 10. Instead of disabling App-IDs regularly, a security policy rule is going to be configured to temporarily allow new App-IDs. In which two circumstances is it valid to disable App-IDs as part of content update? (Choose two.) when an organization operates a mission-critical network and has zero tolerance for downtime when you want to immediately benefit from the latest threat prevention when planning to enable the App-IDs immediately when disabling facebook-base to disable all other Facebook App-IDs 11. In Panorama, the web interface displays the security rules in evaluation order. Organize the security rules in the order in which they will be evaluated? Shared pre-rules -> Device group pre-rules -> Local firewall-rules ->Device group post-rules -> Shared post-rules Shared pre-rules -> Shared post-rules -> Device group pre-rules -> Local firewall-rules ->Device group post-rules Shared pre-rules ->Local firewall-rules -> Device group pre-rules ->Device group post-rules -> Shared post-rules Shared pre-rules -> Device group pre-rules ->Device group post-rules -> Shared post-rules -> Local firewall-rules None 12. A firewall configuration is being migrated by Expedition from a third-party vendor to a Palo Alto Networks Next-Generation Firewall (NGFW.). Expedition flags one service as invalid following the import of the original configuration file. An engineer investigates and finds the invalid service to be ping which is used by the security policies. Which action should the engineer take? Use the search & replace in Expedition to replace the ping service classification with ping application. Create an Application Override policy to override the ping service classification with ping application. Remove ping service from all the policies which reference it. Ignore the invalid flag in Expedition for the firewall to accept ping service. None 13. What configuration is necessary for Active/Active HA to synchronize sessions between peers? Enable session synchronization under the HA settings Enable session Preemption on both peers Configure a floating IP address Use the same virtual IP address on both peers None 14. What is exchanged through the HA2 link? User-ID in information HA state information hello heartbeats session synchronization None 15. A customer's Palo Alto Networks NGFW currently has only one security policy allowing all traffic They have identified that this is a substantial security risk and have heard that the Expedition tool can help them extract security policies from an "allow any" rule What should the consultant say about Expedition? he log files can be viewed on Expedition, and right-clicking a log entry gives the option to create security policy from the log entry. Live firewall traffic can be viewed on Expedition when connected to a firewall, and Expedition can automatically create and push policies to the firewall Expedition cannot parse log files and therefore cannot be used for this purpose By using the Machine Learning feature Expedition can parse the traffic log files related to the policy and extract security rules for matching traffic None 16. Which command is used to install Expedition tool for migration? (Choose 2) sudo apt-get install expedition-beta sudo apt-get install expedition sudo apt-get update sudo apt-get upgrade 17. Instead of disabling App-IDs regularly, a security policy rule is going to be configured to temporarily allow new App-IDs. In which two circumstances is it valid to disable App-IDs as part of content update? (Choose two.) when you want to immediately benefit from the latest threat prevention when an organization operates a mission-critical network and has zero tolerance for downtime when planning to enable the App-IDs immediately when disabling facebook-base to disable all other Facebook App-IDs 18. What happens when a packet from an existing session is received by a firewall that is not the session owner? The firewall drops the packet to prevent anu l3 loops The firewall requests the sender to resend the packet The firewall takes the ownership of the session from the peer firewall The firewall forwards the packet to the peer firewall over hA3 ink None 19. A company has deployed an Active/Passive 5280 HA pair with BGP configured to the company’s ISP. The lead firewall engineer has set the HA Timer to “Recommended”. Upon failing over the HA pair, there is a two-minute outage and internet traffic is dropped. What should the engineer do to eliminate or minimize the outage in the future? Enable Path Monitoring to the ISP Change the HA Timer to “Advanced” with “Preemption Hold Time” of one minute Ensure that “Graceful Restart” has been enabled on all peers Change the HA Timer to “Aggressive” None 20. When creating a custom application signature, which field allows you to specify the layer 7 protocol details to match? Protocol Decoder Signature ID Application Pattern Match None 21. Your customer believes that the Panorama appliance is being overwhelmed by the logs from deployed Palo Alto Networks Next-Generation Firewalls. What CLI command can you run to determine the number of logs per second sent by each firewall? debug log-sender statistics show logging status debug log-receiver statistics show log traffic None 22. Identify the Stakeholder with their Role when planning a Firewall, Panorama, and Cortex XDR Deployment. (Select correct 4) Security Administrator-> Determines the security, logging, reporting requirement and manages the security policy Security Engineer -> Determines the security, logging, reporting requirement and manages the security policy Security Administrator -> Manages the software distribution method for Cortex XDR Client Security Engineer-> Manages the software distribution method for Cortex XDR Client Security Operation Analyst -> Manages the alerts and responds to threats identified to the network or endpoints. Network Engineer -> manages the routing, switching, and general device interconnectivity 23. A customer has deployed a GlobalProtect portal and gateway as its remote-access VPN solution for its fleet of Windows 10 laptops The customer wants to use Host information Profile (HIP) data collected at the GlobalProtect gateway throughout its enterprise as an additional means of policy enforcement What additional licensing must the customer purchase? WildFire license GlobalProtect license for each firewall that will use HIP data to enforce policy DNS Security on the perimeter firewall GlobalProtect license for the gateway firewall None 24. With its improved reliability and automation, Expedition 2 will install by using which of the following? Red Hat Enterprise Linux (RHEL) 9 Ubuntu 16.04 and higher Windows Server 2016 Ubuntu 20.04 None 25. Which interface deployments support the Aggregate Ethernet Active configuration? (Choose three.) LACP in Layer 2 LACP in Layer 3 LACP in TAP LACP in Virtual Wire LLDP in Layer 3 26. In preparation for a cutover event, what two processes or procedures should be verified? (Choose 2) roles and responsibilites change management requirements logging and reporting auditing 27. Match the task for servr setting in group mapping with its order in the process. None 28. In an HA active/active configuration, what is the purpose of APR load sharing? protect internal networks from an ARP flooding attack share an IP address and provide gateway services share all IP addresses and provide Layer 4 through Layer 7 services when failure is detected sync the ARP table between the two firewalls None 29. In Expedition, which objects are classified as “Ghost objects”? Address objects that are not applied in Security or NAT policies Address objects that are not part of an Address Group Unused address objects Addresses imported from Security and NAT policies without corresponding address objects. None 30. What command can you use to check the status of GlobalProtect clients connected to the firewall? show globalprotect current-user show globalprotect status show globalprotect gateway show globalprotect statistics None 31. A customer has a five-year-old firewall in production in the time since the firewall was installed, the IT team deleted unused security policies on a regular basis but they did not remove the address objects and groups that were part ofthese security policies. What is the best way to delete all of the unused address objects on the firewall? Using CLI execute requestconfiguration address-objectsremove-unused-objects. Import the configuration in Expedition, remove unused address objects, and reimport the configuration. Go to Address Objects under the Objects tab and click on Remove unused objects Search each address object with Global Find and delete if it shows that the address object is not referenced None 32. In a HA active/active configuration, which task does the session setup firewall perform? decryption NAT Traffic log generation threat scanning None 33. What are the three predefined external dynamic lists in PAN-OS that customers receive with their content and threat updates? (Choose three.) bulletproof IP addresses embargoed-country IP addresses known-malicious IP addresses command-and-control IP addresses high-risk IP addresses 34. Which routing configuration should you recommend to a customer who wishes to actively use multiple pathways to the same destination? ECMP RIPv2 BGP OSPF None 35. A global corporate office has a large-scale network with only one User-ID agent, which creates a bottleneck near the User-ID agent server. Which solution in PAN -OS software would help in this case? content inspection virtual wire mode redistribution of user mappings application override None 36. An existing customer who has deployed several Palo Alto Networks Next-Generation Firewalls would like to start using Device-ID to obtain policy rule recommendations They have also purchased a Support license, a Threat license a URL Filtering license, and a WildFire license for each firewall What additional license do they need to purchase? a Cortex Data Lake license an loT Security license (or the perimeter firewall an Enterprise Data Loss Prevention (DLP) license an loT Security license for each deployed firewall None 37. In an HA (High Availability) setup, what is the purpose of the HA3 link? Exchange heartbeats between the devices Synchronize session state information Transmit HA control traffic Synchronize configuration changes None 38. TAC has requested a PCAP on your Panorama lo see why the DNS app is having intermittent issues resolving FODN What is the appropriate CLI command? tcp dump snaplen 53 filter "tcp 53" tcpdump snaplen 0 filter "port 53" tcp dump snap-en 0 filter "app dns" tcpdump snaplen 53 filter "port 53" None 39. Which CLI command should you use to verify whether all SFP, SFP+, or QSFP modules are installed in a firewall? show interface detail show system info show system state filter sys.s*.p*.phy show system state filter sys.p*.phy None 40. What information is necessary to properly plan the deployment of a Panorama hardware appliance for firewall management? Panorama Mode, number of managed devices, CPU, and memory allocation in the hypervisor Wiring, power, Console access, and management interface connectivity Virtual router, zones, and interface configuration of the dataplane interface ESXi Server location and routing to the Panorama appliance None 41. A customer recently purchased a license for URL filtering and is having trouble activating PAN-DB. Which two commands can be used to troubleshoot this issue? (Choose two.) request url-database license info request license info show system setting url-database show device setting pan-db 42. What is the default port used by the Terminal Services agent to communicate with a firewall? 5007 636 443 5009 None 43. An existing customer who has deployed several Palo Alto Networks Next-Generation Firewalls would like to start using Device-ID to obtain policy rule recommendations. They have also purchased a Support license, a Threat license, a URL Filtering license, and a WildFire license for each firewall. What additional license do they need to purchase? an IoT Security license for the perimeter firewall an Enterprise Data Loss Prevention (DLP) license an IoT Security license for each deployed firewall a Cortex Data Lake license None 44. A customer has a pair of Panorama HA appliances running local log collectors and wants to have log redundancy on logs forwarded from firewalls. Which two configuration options fulfill the customer’s requirement for log redundancy? (Choose two.) Log redundancy must be enabled per Collector Group. Panorama configured in HA provides log redundancy. Panorama operational mode needs to be Dedicated Log Collector. A Collector Group must contain at least two Log Collectors. 45. What happens when a packet from an existing session is received by a firewall that The firewall takes ownership of the session from the peer firewall The firewall requests the sender to resend the packet The firewall forwards the packet lo the peer firewall over the HA3 link The firewall drops the packet to prevent any L3 loops None 46. Which two options describe the behavior of the “Direction” property in a WildFire Analysis Profile rule? (Choose two.) The upload direction option matches only files that were uploaded to the internet by a user on the Inside network. The both direction option matches all files, but only if the transfer is started by the connection initiator. The download direction option matches files that the connection initiator received from the service it connected to. The both direction option matches all files that are seen by the firewall, regardless of whether the transfer is started by the connection initiator or responder. 47. Which category of Vulnerability Signature is mostly like to trigger false positive alerts? phishing brute-force info-leak Code-execution None 48. Which Palo Alto Network feature allows you to create dynamic security policies based on the behavior of the device in your network? APP-ID Cortex XDR Dynamic Address Group Behavioral Threat Detection None 49. A company’s network operations engineer is documenting a solution and wants to know the default priority setting for an LACP connection. If no changes are made to the default configuration settings for the LACP, which priority setting should you share with the engineer? 100 65,535 1 32,768 None 50. Which Panorama operational mode is necessary to manage a large number of firewalls and also act as a log collector? Management Only Log Collector Only Dedicated Log Collector Management and Log Collector None Time's up
