PCNSE – Palo Alto Certified Network Security Engineer

A network administrator wants to use a certificate for the SSL/TLS Service Profile. Which type of certificate should the administrator use?

When you configure an active/active high availability pair which two links can you use? (Choose two)

An existing NGFW customer requires direct interne! access offload locally at each site and iPSec connectivity to all branches over public internet. One requirement is mat no new SD-WAN hardware be introduced to the environment. What is the best solution for the customer?

Which User-ID mapping method should be used in a high-security environment where all IP address-to-user mappings should always be explicitly known?

In an HA failover scenario what occurs when sessions match an SSL Forward Proxy Decryption policy?

An administrator has 850 firewalls The administrator's central-management Panorama instance deploys dynamic updates to the firewalls The administrator notices that the dynamic updates from Panorama do not appear on some of the firewalls. If Panorama pushes the configuration of a dynamic update schedule to managed firewalls, but the configuration does not appear what is the root cause?

As a best practice, which URL category should you target first for SSL decryption?

Which two statements correctly identify the number of Decryption Broker security chains that are supported on a pair of decryption-forwarding interfaces'? (Choose two)

Which three statements accurately describe Decryption Mirror? (Choose three.)

What are three valid qualifiers for a Decryption Policy Rule match? (Choose three)

What are three types of Decryption Policy rules? (Choose three.)

Your company has to Active Directory domain controllers spread across multiple WAN links All users authenticate to Active Directory Each link has substantial network bandwidth to support all mission-critical applications. The firewalls management plane is highly utilized Given this scenario which type of User-ID agent is considered a best practice by Palo Alto Networks?

Which Security Policy Rule configuration option disables antivirus and anti-spyware scanning of server-to-client flows only?

Match each type of DoS attack to an example of that type of attack.

An administrator plans to deploy 15 firewalls to act as GlobalProtect gateways around the world Panorama will manage the firewalls. The firewalls will provide access to mobile users and act as edge locations to on-premises infrastructure. The administrator wants to scale the configuration out quickly and wants all of the firewalls to use the same template configuration. Which two solutions can the administrator use to scale this configuration? (Choose two.)

Place the steps in the WildFire process workflow in their correct order.

Which two mechanisms help prevent a spilt brain scenario an Active/Passive High Availability (HA) pair? (Choose two)

Given the following snippet of a Wild Fire submission log. did the end-user get access to the requested information and why or why not?

What happens when an A/P firewall cluster synchronies IPsec tunnel security associations (SAs)?

What are two common reasons to use a "No Decrypt" action to exclude traffic from SSL decryption? (Choose two.)

An administrator notices that an interface configuration has been overridden locally on a firewall. They require an configuration to be managed from Panorama and overrides are not allowed. What is one way the administrator can meet this requirement?

What are three reasons why an installed session can be identified with the application incomplete" tag? (Choose three.)

To ensure that a Security policy has the highest priority, how should an administrator configure a Security policy in the device group hierarchy?

When planning to configure SSL Froward Proxy on a PA 5260, a user asks how SSL decryption can be implemented using phased approach in alignment with Palo Alto Networks best practices What should you recommend?

An engineer must configure a new SSL decryption deployment Which profile or certificate is required before any traffic that matches an SSL decryption rule is decrypted?

An administrator wants to upgrade a firewall HA pair to PAN-OS 11.1. The firewalls are currently running PAN-OS 10.1.4-h1. Which upgrade path maintains synchronization of the HA session (and prevents network outage)?

A variable name must start with which symbol?

In a security-first network what is the recommended threshold value for content updates to be dynamically updated?

Which two features can be used to tag a username so that it is included in a dynamic user group? (Choose two.)

An engineer is planning an SSL decryption implementation Which of the following statements is a best practice for SSL decryption?

When overriding a template configuration locally on a firewall, what should you consider?

What does SSL decryption require to establish a firewall as a trusted third party and to establish trust between a client and server to secure an SSL/TLS connection?

In SSL Forward Proxy decryption, which two certificates can be used for certificate signing? (Choose two.)

PBF can address which two scenarios? (Select Two)

What are two common reasons to use a "No Decrypt" action to exclude traffic from SSL decryption? (Choose two.)

Which two are valid ACC Global Protect Activity tab widgets? (Choose two.)

An administrator is attempting to create policies tor deployment of a device group and template stack When creating the policies, the zone drop down list does not include the required zone. What must the administrator do to correct this issue?

What are two characteristic types that can be defined for a variable? (Choose two)

Before you upgrade a Palo Alto Networks NGFW, what must you do?

During the packet flow process, which two processes are performed in application identification? (Choose two.)

Refer to the exhibit. An administrator cannot see any if the Traffic logs from the Palo Alto Networks NGFW on Panorama. The configuration problem seems to be on the firewall side. Where is the best place on the Palo Alto Networks NGFW to check whether the configuration is correct?

Which rule type controls end user SSL traffic to external websites?

An administrator is considering upgrading the Palo Alto Networks NGFW and central management Panorama version What is considered best practice for this scenario?

Which option is part of the content inspection process?

Which three options are supported in HA Lite? (Choose three.)

Which value in the Application column indicates UDP traffic that did not match an App-ID signature?

A critical US-CERT notification is published regarding a newly discovered botnet. The malware is very evasive and is not reliably detected by endpoint antivirus software. Furthermore, SSL is used to tunnel malicious traffic to command-and-control servers on the internet and SSL Forward Proxy Decryption is not enabled. Which component once enabled on a perirneter firewall will allow the identification of existing infected hosts in an environment?

SD-WAN is designed to support which two network topology types? (Choose two.)

Place the steps to onboard a ZTP firewall into Panorama/CSP/ZTP-Service in the correct order.

Match each Global Protect component to the purpose of that component.

When an in-band data port is set up to provide access to required services, what is required for an interface that is assigned to service routes?

Which Device Group option is assigned by default in Panorama whenever a new device group is created to manage a Firewall?

What are the two behavior differences between Highlight Unused Rules and the Rule Usage Hit counter when a firewall is rebooted? (Choose two.)

An administrator needs to implement an NGFW between their DMZ and Core network EIGRP Routing between the two environments is required Which interface type would support this business requirement?

Which three items are import considerations during SD-WAN configuration planning? (Choose three.)

During the process of developing a decryption strategy and evaluating which websites are required for corporate users to access, several sites have been identified that cannot be decrypted due to technical reasons. In this case, the technical reason is unsupported ciphers. Traffic to these sites will therefore be blocked if decrypted How should the engineer proceed?

What are three reasons for excluding a site from SSL decryption? (Choose three.)

A network administrator wants to use a certificate for the SSL/TLS Service Profile Which type of certificate should the administrator use?

An internal system is not functioning. The firewall administrator has determined that the incorrect egress interface is being used After looking at the configuration, the administrator believes that the firewall is not using a static route What are two reasons why the firewall might not use a static route"? (Choose two.)

Which three split tunnel methods are supported by a Global Protect Gateway? (Choose three.)

The SSL Forward Proxy decryption policy is configured. The following four certificate authority (CA) certificates are installed on the firewall. An end-user visits the untrusted website https://www.firewall-do-not-trust-website.com. Which certificate authority (CA) certificate will be used to sign the untrusted webserver certificate?

The manager of the network security team has asked you to help configure the company's Security Profiles according to Palo Alto Networks best practice. As part of that effort, the manager has assigned you the Vulnerability Protection profile for the internet gateway firewall. Which action and packet-capture setting for items of high severity and critical severity best matches Palo Alto Networks best practice'?

Which action disables Zero Touch Provisioning (ZTP) functionality on a ZTP firewall during the onboarding process?

Which two statements correctly identify the number of Decryption Broker security chains that are supported on a pair of decryption-forwarding interfaces'? (Choose two)

An organization is building a Bootstrap Package to deploy Palo Alto Networks VM-Series firewalls into their Microsoft Azure. Which two statements are correct regarding the bootstrap package contents? (Choose two)

The following objects and policies are defined in a device group hierarchy. Dallas-Branch has Dallas-FW as a member of the Dallas-Branch device-group NYC-DC has NYC-FW as a member of the NYC-DC device-group What objects and policies will the Dallas-FW receive if "Share Unused Address and Service Objects" is enabled in Panorama?

An administrator needs firewall access on a trusted interface. Which two components are required to configure certificate based, secure authentication to the Web Ul? (Choose two )

When you navigate to Network: > GlobalProtect > Portals > Method section, which three options are available? (Choose three)

Which configuration task is best for reducing load on the management plane?

An administrator has a PA-820 firewall with an active Threat Prevention subscription. The administrator is considering adding a WildFire subscription How does adding the WildFire subscription improve the security posture of the organization?

The UDP-4501 protocol-port is used between which two GlobalProtect components?

What are two valid deployment options for Decryption Broker? (Choose two)

An engineer must configure the Decryption Broker feature Which Decryption Broker security chain supports bi-directional traffic flow?

An administrator receives the following error message. How should the administrator identify the root cause of this error message?

In a Panorama template which three types of objects are configurable? (Choose three)

Which two features require another license on the NGFW? (Choose two.)

When you import the configuration of an HA pair into Panorama, how do you prevent the import from affecting ongoing traffic?