Summer Sale Special Limited Time 65% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: cramtreat

PCNSE Palo Alto Networks Certified Security Engineer (PCNSE) PAN-OS 10.2 Questions and Answers

Questions 4

An engineer is troubleshooting traffic routing through the virtual router. The firewall uses multiple routing protocols, and the engineer is trying to determine routing priority Match the default Administrative Distances for each routing protocol.

Options:

Buy Now
Questions 5

An administrator troubleshoots an issue that causes packet drops.

Which log type will help the engineer verify whether packet buffer protection was activated?

Options:

A.

Data Filtering

B.

Threat

C.

Traffic

D.

Configuration

Buy Now
Questions 6

In a Panorama template which three types of objects are configurable? (Choose three)

Options:

A.

certificate profiles

B.

HIP objects

C.

QoS profiles

D.

security profiles

E.

interface management profiles

Buy Now
Questions 7

An engineer has discovered that certain real-time traffic is being treated as best effort due to it exceeding defined bandwidth Which QoS setting should the engineer adjust?

Options:

A.

QoS profile: Egress Max

B.

QoS interface: Egress Guaranteed

C.

QoS profile: Egress Guaranteed

D.

QoS interface: Egress Max

Buy Now
Questions 8

SSL Forward Proxy decryption is configured but the firewall uses Untrusted-CA to sign the website https //www important-website com certificate End-users are receiving me "security certificate is not trusted is warning Without SSL decryption the web browser shows that the website certificate is trusted and signed by a well-known certificate chain Well-Known-lntermediate and Well-Known-Root- CA.

The network security administrator who represents the customer requires the following two behaviors when SSL Forward Proxy is enabled:

1 End-users must not get the warning for the https://www.very-important-website.com website.

2 End-users should get the warning for any other untrusted website

Which approach meets the two customer requirements?

Options:

A.

Navigate to Device > Certificate Management > Certificates > Device Certificates import Well-Known-lntermediate-CA and Well-Known-Root-CA select the Trusted Root CA checkbox and commit the configuration

B.

Install the Well-Known-lntermediate-CA and Well-Known-Root-CA certificates on all end-user systems m the user and local computer stores

C.

Navigate to Device > Certificate Management - Certificates s Default Trusted Certificate Authorities import Well-Known-intermediate-CA and Well-Known-Root-CA select the Trusted Root CA check box and commit the configuration

D.

Clear the Forward Untrust Certificate check box on the Untrusted-CA certificate and commit the configuration

Buy Now
Questions 9

An engineer needs to collect User-ID mappings from the company's existing proxies.

What two methods can be used to pull this data from third party proxies? (Choose two.)

Options:

A.

Syslog

B.

XFF Headers

C.

Client probing

D.

Server Monitoring

Buy Now
Questions 10

Which GlobalProtect component must be configured to enable Clientless VPN?

Options:

A.

GlobalProtect satellite

B.

GlobalProtect app

C.

GlobalProtect portal

D.

GlobalProtect gateway

Buy Now
Questions 11

A firewall administrator requires an A/P HA pair to fail over more quickly due to critical business application uptime requirements.

What is the correct setting?

Options:

A.

Change the HA timer profile to "aggressive" or customize the settings in advanced profile.

B.

Change the HA timer profile to "fast".

C.

Change the HA timer profile to "user-defined" and manually set the timers.

D.

Change the HA timer profile to "quick" and customize in advanced profile.

Buy Now
Questions 12

Which statement regarding HA timer settings is true?

Options:

A.

Use the Recommended profile for typical failover timer settings

B.

Use the Moderate profile for typical failover timer settings

C.

Use the Aggressive profile for slower failover timer settings.

D.

Use the Critical profile for faster failover timer settings.

Buy Now
Questions 13

Which source is the most reliable for collecting User-ID user mapping?

Options:

A.

GlobalProtect

B.

Microsoft Active Directory

C.

Microsoft Exchange

D.

Syslog Listener

Buy Now
Questions 14

What are two valid deployment options for Decryption Broker? (Choose two)

Options:

A.

Transparent Bridge Security Chain

B.

Layer 3 Security Chain

C.

Layer 2 Security Chain

D.

Transparent Mirror Security Chain

Buy Now
Questions 15

Which three multi-factor authentication methods can be used to authenticate access to the firewall? (Choose three.)

Options:

A.

One-time password

B.

User certificate

C.

Voice

D.

SMS

E.

Fingerprint

Buy Now
Questions 16

Which three actions can Panorama perform when deploying PAN-OS images to its managed devices? (Choose three.)

Options:

A.

upload-only

B.

upload and install and reboot

C.

verify and install

D.

upload and install

E.

install and reboot

Buy Now
Questions 17

A company wants to install a PA-3060 firewall between two core switches on a VLAN trunk link. They need to assign each VLAN to its own zone and to assign untagged (native) traffic to its own zone which options differentiates multiple VLAN into separate zones?

Options:

A.

Create V-Wire objects with two V-Wire interfaces and define a range of "0-4096″ in the "Tag Allowed" field of the V-Wire object.

B.

Create V-Wire objects with two V-Wire subinterfaces and assign only a single VLAN ID to the Tag Allowed" field of the V-Wire object. Repeat for every additional VLAN and use a VLAN ID of 0 for untagged traffic. Assign each interface/sub interface to a unique zone.

C.

Create Layer 3 subinterfaces that are each assigned to a single VLAN ID and a common virtual router. The physical Layer 3 interface would handle untagged traffic. Assign each interface/subinterface tA. unique zone. Do not assign any interface an IP address.

D.

Create VLAN objects for each VLAN and assign VLAN interfaces matching each VLAN ID. Repeat for every additional VLAN and use a VLAN ID of 0 for untagged traffic. Assign each interface/sub interface to a unique zone.

Buy Now
Questions 18

An engineer needs to configure SSL Forward Proxy to decrypt traffic on a PA-5260. The engineer uses a forward trust certificate from the enterprise PKI that expires December 31, 2025. The validity date on the PA-generated certificate is taken from what?

Options:

A.

The trusted certificate

B.

The server certificate

C.

The untrusted certificate

D.

The root CA

Buy Now
Questions 19

A network administrator plans a Prisma Access deployment with three service connections, each with a BGP peering to a CPE. The administrator needs to minimize the BGP configuration and management overhead on on-prem network devices.

What should the administrator implement?

Options:

A.

target service connection for traffic steering

B.

summarized BGP routes before advertising

C.

hot potato routing

D.

default routing

Buy Now
Questions 20

What happens when an A/P firewall cluster synchronies IPsec tunnel security associations (SAs)?

Options:

A.

Phase 2 SAs are synchronized over HA2 links

B.

Phase 1 and Phase 2 SAs are synchronized over HA2 links

C.

Phase 1 SAs are synchronized over HA1 links

D.

Phase 1 and Phase 2 SAs are synchronized over HA3 links

Buy Now
Questions 21

The UDP-4501 protocol-port is used between which two GlobalProtect components?

Options:

A.

GlobalProtect app and GlobalProtect gateway

B.

GlobalProtect portal and GlobalProtect gateway

C.

GlobalProtect app and GlobalProtect satellite

D.

GlobalProtect app and GlobalProtect portal

Buy Now
Questions 22

An administrator has configured a pair of firewalls using high availability in Active/Passive mode. Path Monitoring has been enabled with a Failure Condition of "any." A path group is configured with Failure Condition of "all" and contains a destination IP of 8.8.8.8 and 4.2.2.2 with a Ping Interval of 500ms and a Ping count of 3.

Which scenario will cause the Active firewall to fail over?

Options:

A.

IP address 8.8.8.8 is unreachable for 1 second.

B.

IP addresses 8.8.8.8 and 4.2.2.2 are unreachable for 1 second.

C.

IP addresses 8.8.8.8 and 4.2.2.2 are unreachable for 2 seconds

D.

IP address 4.2.2.2 is unreachable for 2 seconds.

Buy Now
Questions 23

How should an administrator enable the Advance Routing Engine on a Palo Alto Networks firewall?

Options:

A.

Enable Advanced Routing Engine in Device > Setup > Session > Session Settings, then commit and reboot.

B.

Enable Advanced Routing in Network > Virtual Routers > Redistribution Profiles and then commit.

C.

Enable Advanced Routing in Network > Virtual Routers > Router Settings > General, then commit and reboot.

D.

Enable Advanced Routing in General Settings of Device > Setup > Management, then commit and reboot

Buy Now
Questions 24

Which data flow describes redistribution of user mappings?

Options:

A.

User-ID agent to firewall

B.

firewall to firewall

C.

Domain Controller to User-ID agent

D.

User-ID agent to Panorama

Buy Now
Questions 25

What can be used to create dynamic address groups?

Options:

A.

dynamic address

B.

region objects

C.

tags

D.

FODN addresses

Buy Now
Questions 26

What are two common reasons to use a "No Decrypt" action to exclude traffic from SSL decryption? (Choose two.)

Options:

A.

the website matches a category that is not allowed for most users

B.

the website matches a high-risk category

C.

the web server requires mutual authentication

D.

the website matches a sensitive category

Buy Now
Questions 27

A firewall should be advertising the static route 10.2.0.0/24 Into OSPF. The configuration on the neighbor is correct, but the route is not in the neighbor's routing table.

Which two configurations should you check on the firewall? (Choose two.)

Options:

A.

In the OSFP configuration, ensure that the correct redistribution profile is selected in the OSPF Export Rules section.

B.

Within the redistribution profile ensure that Redist is selected.

C.

Ensure that the OSPF neighbor state Is "2-Way."

D.

In the redistribution profile check that the source type is set to "ospf."

Buy Now
Questions 28

An administrator needs to gather information about the firewall CPU utiliza-tion on both the management plane and the data plane.

Where does the administrator view the desired data?

Options:

A.

Application Command and Control Center

B.

Monitor > Utilization

C.

Support > Resources

D.

System Resources Widget on the Dashboard

Buy Now
Questions 29

An administrator discovers that a file blocked by the WildFire inline ML feature on the firewall is a false-positive action. How can the administrator create an exception for this particular file?

Options:

A.

Add partial hash and filename in the file section of the WildFire inline ML tab of the Antivirus profile.

B.

Set the WildFire inline ML action to allow for that protocol on the Antivirus profile.

C.

Add the related Threat ID in the Signature exceptions tab of the Antivirus profile.

D.

Disable the WildFire profile on the related Security policy.

Buy Now
Questions 30

Cortex XDR notifies an administrator about grayware on the endpoints. There are no entries about grayware in any of the logs of the corresponding firewall. Which setting can the administrator configure on the firewall to log grayware verdicts?

Options:

A.

within the log forwarding profile attached to the Security policy rule

B.

within the log settings option in the Device tab

C.

in WildFire General Settings, select "Report Grayware Files"

D.

in Threat General Settings, select "Report Grayware Files"

Buy Now
Questions 31

An ISP manages a Palo Alto Networks firewall with multiple virtual systems for its tenants.

Where on this firewall can the ISP configure unique service routes for different tenants?

Options:

A.

Setup > Services > Virtual Systems > Set Location > Service Route Configuration > Inherit Global Service Route Configuration

B.

Setup > Services > Global > Service Route Configuration > Customize

C.

Setup > Services > Virtual Systems > Set Location > Service Route Configuration > Customize

D.

Setup > Services > Global > Service Route Configuration > Use Management Interface for all

Buy Now
Questions 32

Which configuration is backed up using the Scheduled Config Export feature in Panorama?

Options:

A.

Panorama running configuration

B.

Panorama candidate configuration

C.

Panorama candidate configuration and candidate configuration of all managed devices

D.

Panorama running configuration and running configuration of all managed devices

Buy Now
Questions 33

Given the screenshot, how did the firewall handle the traffic?

Options:

A.

Traffic was allowed by policy but denied by profile as encrypted.

B.

Traffic was allowed by policy but denied by profile as a threat.

C.

Traffic was allowed by profile but denied by policy as a threat.

D.

Traffic was allowed by policy but denied by profile as a nonstandard port.

Buy Now
Questions 34

An engineer has been given approval to upgrade their environment 10 PAN-OS 10 2

The environment consists of both physical and virtual firewalls a virtual Panorama HA pair, and virtual log collectors

What is the recommended order when upgrading to PAN-OS 10.2?

Options:

A.

Upgrade Panorama, upgrade the log collectors, upgrade the firewalls

B.

Upgrade the firewalls upgrade log collectors, upgrade Panorama

C.

Upgrade the firewalls upgrade Panorama, upgrade the log collectors

D.

Upgrade the log collectors, upgrade the firewalls, upgrade Panorama

Buy Now
Questions 35

The following objects and policies are defined in a device group hierarchy

A)

B)

C)

Address Objects

-Shared Address 1

-Branch Address2

Policies -Shared Polic1

l -Branch Policyl

D)

Address Objects -Shared Addressl -Shared Address2 -Branch Addressl Policies -Shared Policyl -Shared Policy2 -Branch Policyl

Options:

A.

Option A

B.

Option B

C.

Option C

D.

Option D

Buy Now
Questions 36

Your company occupies one floor in a single building. You have two Active Directory domain controllers on a single network. The firewall's management-plane resources are lightly utilized.

Given the size of this environment, which User-ID collection method is sufficient?

Options:

A.

Citrix terminal server agent deployed on the network

B.

Windows-based agent deployed on each domain controller

C.

PAN-OS integrated agent deployed on the firewall

D.

a syslog listener

Buy Now
Questions 37

Refer to the image.

An administrator is tasked with correcting an NTP service configuration for firewalls that cannot use the Global template NTP servers. The administrator needs to change the IP address to a preferable server for this template stack but cannot impact other template stacks.

How can the issue be corrected?

Options:

A.

Override the value on the NYCFW template.

B.

Override a template value using a template stack variable.

C.

Override the value on the Global template.

D.

Enable "objects defined in ancestors will take higher precedence" under Panorama settings.

Buy Now
Questions 38

An administrator creates a custom application containing Layer 7 signatures. The latest application and threat dynamic update is downloaded to the same firewall. The update contains an application that matches the same traffic signatures as the custom application.

Which application will be used to identify traffic traversing the firewall?

Options:

A.

Custom application

B.

Unknown application

C.

Incomplete application

D.

Downloaded application

Buy Now
Questions 39

The administrator for a small company has recently enabled decryption on their Palo Alto Networks firewall using a self-signed root certificate. They have also created a Forward Trust and Forward Untrust certificate and set them as such

The admin has not yet installed the root certificate onto client systems

What effect would this have on decryption functionality?

Options:

A.

Decryption will function and there will be no effect to end users

B.

Decryption will not function because self-signed root certificates are not supported

C.

Decryption will not function until the certificate is installed on client systems

D.

Decryption will function but users will see certificate warnings for each SSL site they visit

Buy Now
Questions 40

An administrator wants to grant read-only access to all firewall settings, except administrator accounts, to a new-hire colleague in the IT department.

Which dynamic role does the administrator assign to the new-hire colleague?

Options:

A.

Device administrator (read-only)

B.

System administrator (read-only)

C.

Firewall administrator (read-only)

D.

Superuser (read-only)

Buy Now
Questions 41

In an existing deployment, an administrator with numerous firewalls and Panorama does not see any WildFire logs in Panorama. Each firewall has an active WildFire subscription On each firewall. WildFire togs are available.

This issue is occurring because forwarding of which type of logs from the firewalls to Panorama is missing?

Options:

A.

Threat logs

B.

Traffic togs

C.

System logs

D.

WildFire logs

Buy Now
Questions 42

With the default TCP and UDP settings on the firewall, what will be the identified application in the following session?

Options:

A.

Incomplete

B.

unknown-tcp

C.

Insufficient-data

D.

not-applicable

Buy Now
Questions 43

Which CLI command displays the physical media that are connected to ethernet1/8?

Options:

A.

> show system state filter-pretty sys.si.p8.stats

B.

> show system state filter-pretty sys.sl.p8.phy

C.

> show interface ethernet1/8

D.

> show system state filter-pretty sys.sl.p8.med

Buy Now
Questions 44

An administrator has configured OSPF with Advanced Routing enabled on a Palo Alto Networks firewall running PAN-OS 10.2. After OSPF was configured, the administrator noticed that OSPF routes were not being learned.

Which two actions could an administrator take to troubleshoot this issue? (Choose two.)

Options:

A.

Run the CLI command show advanced-routing ospf neighbor

B.

In the WebUl, view the Runtime Stats in the logical router.

C.

In the WebUl, view the Runtime Stats in the virtual router.

D.

Look for configuration problems in Network > virtual router > OSPF

Buy Now
Questions 45

When an in-band data port is set up to provide access to required services, what is required for an interface that is assigned to service routes?

Options:

A.

The interface must be used for traffic to the required services

B.

You must enable DoS and zone protection

C.

You must set the interface to Layer 2 Layer 3. or virtual wire

D.

You must use a static IP address

Buy Now
Exam Code: PCNSE
Exam Name: Palo Alto Networks Certified Security Engineer (PCNSE) PAN-OS 10.2
Last Update: Jun 2, 2023
Questions: 304
PCNSE pdf

PCNSE PDF

$28  $80
PCNSE Engine

PCNSE Testing Engine

$33.25  $95
PCNSE PDF + Engine

PCNSE PDF + Testing Engine

$45.5  $130