When an in-band data port is set up to provide access to required services, what is required for an interface that is assigned to service routes?

You must use a static IP address

The interface must be used for traffic to the required services

You must enable DoS and zone protection

You must set the interface to Layer 2 Layer 3. or virtual wire

You must use a static IP address

Refer to the image. An administrator is tasked with correcting an NTP service configuration for firewalls that cannot use the Global template NTP servers. The administrator needs to change the IP address to a preferable server for this template stack but cannot impact other template stacks.How can the issue be corrected?

Override a template value using a template stack variable.

Override the value on the NYCFW template.

Override a template value using a template stack variable.

Override the value on the Global template.

Enable "objects defined in ancestors will take higher precedence" under Panorama settings.

You need to allow users to access the office-suite applications of their choice. How should you configure the firewall to allow access to any office-suite application?

Create an Application Filter and name it Office Programs, then filter it on the office programs subcategory.

Create an Application Group and add Office 365, Evernote Google Docs and Libre Office

Create an Application Group and add business-systems to it.

Create an Application Filter and name it Office Programs, then filter it on the office programs subcategory.

Create an Application Filter and name it Office Programs then filter on the business-systems category.

Before an administrator of a VM-500 can enable DoS and zone protection, what actions need to be taken?

Measure and monitor the CPU consumption of the firewall data plane to ensure that each firewall is properly sized to support DoS and zone protection

Create a zone protection profile with flood protection configured to defend an entire egress zone against SYN. ICMP ICMPv6, UDP. and other IP flood attacks

Add a WildFire subscription to activate DoS and zone protection features

Replace the hardware firewall because DoS and zone protection are not available with VM-Series systems

A network-security engineer attempted to configure a bootstrap package on Microsoft Azure, but the virtual machine provisioning process failed. In reviewing the bootstrap package, the engineer only had the following directories: /config, / license and /software Why did the bootstrap process fail for the VM-Series firewall in Azure?

The /content folder is missing from the bootstrap package

All public cloud deployments require the /plugins folder to support proper firewall native integrations

The /content folder is missing from the bootstrap package

The VM-Series firewall was not pre-registered in Panorama and prevented the bootstrap process from successfully completing

The /config or /software folders were missing mandatory files to successfully bootstrap

A firewall is configured with SSL Forward Proxy decryption and has the following four enterprise certificate authorities (Cas) i. Enterprise-Trusted-CA; which is verified as Forward Trust Certificate (The CA is also installed in the trusted store of the end-user browser and system ) ii. Enterprise-Untrusted-CA, which is verified as Forward Untrust Certificate iii. Enterprise-lntermediate-CA iv. Enterprise-Root-CA which is verified only as Trusted Root CA An end-user visits https // www example-website com/ with a server certificate Common Name (CN) www example-website com The firewall does the SSL Forward Proxy decryption for the website and the server certificate is not trusted by the firewall The end-user's browser will show that the certificate for www.example-website.com was issued by which of the following?

Enterprise-Untrusted-CA which is a self-signed CA

Enterprise-Trusted-CA which is a self-signed CA

Enterprise-lntermediate-CA which was. in turn, issued by Enterprise-Root-CA

Enterprise-Root-CA which is a self-signed CA

What best describes the HA Promotion Hold Time?

the time that the passive firewall will wait before taking over as the active firewall after communications with the HA peer have been lost

the time that is recommended to avoid an HA failover due to the occasional flapping of neighboring devices

the time that is recommended to avoid a failover when both firewalls experience the same link/path monitor failure simultaneously

the time that the passive firewall will wait before taking over as the active firewall after communications with the HA peer have been lost

the time that a passive firewall with a low device priority will wait before taking over as the active firewall if the firewall is operational again

How would an administrator monitor/capture traffic on the management interface of the Palo Alto Networks NGFW?

Use the debug dataplane packet-diag set capture stage firewall file command.

Enable all four stages of traffic capture (TX, RX, DROP, Firewall).

Use the debug dataplane packet-diag set capture stage management file command.

What is the best description of the HA4 Keep-Alive Threshold (ms)?

the timeframe within which the firewall must receive keepalives from a cluster member to know that the cluster member is functional.

the maximum interval between hello packets that are sent to verify that the HA functionality on the other firewall is operational.

The time that a passive or active-secondary firewall will wait before taking over as the active or active-primary firewall

the timeframe within which the firewall must receive keepalives from a cluster member to know that the cluster member is functional.

The timeframe that the local firewall wait before going to Active state when another cluster member is preventing the cluster from fully synchronizing.

An internal system is not functioning. The firewall administrator has determined that the incorrect egress interface is being used. After looking at the configuration, the administrator believes that the firewall is not using a static route.What are two reasons why the firewall might not use a static route? (Choose two.)

path monitoring on the static route

An administrator has configured PAN-OS SD-WAN and has received a request to find out the reason for a session failover for a session that has already ended Where would you find this in Panorama or firewall logs?

You cannot find failover details on closed sessions

SSL Forward Proxy decryption is configured but the firewall uses Untrusted-CA to sign the website https //www important-website com certificate End-users are receiving me "security certificate isnot trusted is warning Without SSL decryption the web browser shows that the website certificate istrusted and signed by a well-known certificate chain Well-Known-lntermediate and Well-Known-Root- CA.The network security administrator who represents the customer requires the following two behaviors when SSL Forward Proxy is enabled:1 End-users must not get the warning for the https://www.very-important-website.com website.2 End-users should get the warning for any other untrusted websiteWhich approach meets the two customer requirements?

Install the Well-Known-lntermediate-CA and Well-Known-Root-CA certificates on all end-user systems m the user and local computer stores

Navigate to Device > Certificate Management > Certificates > Device Certificates import Well- Known-lntermediate-CA and Well-Known-Root-CA select the Trusted Root CA checkbox and commit the configuration

Install the Well-Known-lntermediate-CA and Well-Known-Root-CA certificates on all end-user systems m the user and local computer stores

Navigate to Device > Certificate Management - Certificates s Default Trusted Certificate Authorities import Well-Known-intermediate-CA and Well-Known-Root-CA select the Trusted Root CA check box and commit the configuration

Clear the Forward Untrust Certificate check box on the Untrusted-CA certificate and commit the configuration

Given the following snippet of a WildFire submission log. did the end-user get access to the requested information and why or why not?

Yes. because the action is set to "allow ''

No because WildFire categorized a file with the verdict "malicious"

Yes because the action is set to "alert"

No because WildFire classified the seventy as "high."

Which configuration task is best for reducing load on the management plane?

Disable logging on the default deny rule

Enable session logging at start

Set the URL filtering action to send alerts

The UDP-4501 protocol-port is used between which two GlobalProtect components?

GlobalProtect app and GlobalProtect gateway

GlobalProtect portal and GlobalProtect gateway

GlobalProtect app and GlobalProtect satellite

GlobalProtect app and GlobalProtect portal

A company wants to install a PA-3060 firewall between two core switches on a VLAN trunk link. They need to assign each VLAN to its own zone and to assign untagged (native) traffic to its own zone which options differentiates multiple VLAN into separate zones?

Create V-Wire objects with two V-Wire subinterfaces and assign only a single VLAN ID to the Tag Allowed" field of the V-Wire object. Repeat for every additional VLAN and use a VLAN ID of 0 for untagged traffic. Assign each interface/ sub interface to a unique zone.

Create V-Wire objects with two V-Wire interfaces and define a range of "0-4096" in the "Tag Allowed" field of the V-Wire object.

Create V-Wire objects with two V-Wire subinterfaces and assign only a single VLAN ID to the Tag Allowed" field of the V-Wire object. Repeat for every additional VLAN and use a VLAN ID of 0 for untagged traffic. Assign each interface/ sub interface to a unique zone.

Create Layer 3 subinterfaces that are each assigned to a single VLAN ID and a common virtual router. The physical Layer 3 interface would handle untagged traffic. Assign each interface/subinterface tA. unique zone. Do not assign any interface an IP address.

Create VLAN objects for each VLAN and assign VLAN interfaces matching each VLAN ID. Repeat for every additional VLAN and use a VLAN ID of 0 for untagged traffic. Assign each interface/sub interface to a unique zone.

An enterprise information Security team has deployed policies based on AD groups to restrict user access to critical infrastructure systems However a recent phisning campaign against the organization has prompted Information Security to look for more controls that can secure access to critical assets For users that need to access these systems Information Security wants to use PAN-OS multi-factor authentication (MFA) integration to enforce MFA.What should the enterprise do to use PAN-OS MFA?

Configure a Captive Portal authentication policy that uses an authentication sequence

Configure a Captive Porta1 authentication policy that uses an authentication profile that references a RADIUS profile

Create an authentication profile and assign another authentication factor to be used by a Captive Portal authentication policy

Configure a Captive Portal authentication policy that uses an authentication sequence

Use a Credential Phishing agent to detect prevent and mitigate credential phishing campaigns

PBF can address which two scenarios? (Select Two)

providing application connectivity the primary circuit fails

routing FTP to a backup ISP link to save bandwidth on the primary ISP link

forwarding all traffic by using source port 78249 to a specific egress interface

providing application connectivity the primary circuit fails

enabling the firewall to bypass Layer 7 inspection

routing FTP to a backup ISP link to save bandwidth on the primary ISP link

Which data flow describes redistribution of user mappings?

Domain Controller to User-ID agent

What are two best practices for incorporating new and modified App-IDs? (Choose two.)

Configure a security policy rule to allow new App-IDs that might have network-wide impact

Study the release notes and install new App-IDs if they are determined to have low impact

Run the latest PAN-OS version in a supported release tree to have the best performance for the new App-IDs

Configure a security policy rule to allow new App-IDs that might have network-wide impact

Perform a Best Practice Assessment to evaluate the impact of the new or modified App-IDs

Study the release notes and install new App-IDs if they are determined to have low impact

An administrator needs to evaluate a recent policy change that was committed and pushed to a firewall device group.How should the administrator identify the configuration changes?

review the configuration logs on the Monitor tab

click Preview Changes under Push Scope

use Test Policy Match to review the policies in Panorama

context-switch to the affected firewall and use the configuration audit tool

Which two actions would be part of an automatic solution that would block sites with untrusted certificates without enabling SSL Forward Proxy? (Choose two.)

Create a no-decrypt Decryption Policy rule.

Create a Security Policy rule with vulnerability Security Profile attached.

Create a no-decrypt Decryption Policy rule.

Configure an EDL to pull IP addresses of known sites resolved from a CRL.

Create a Dynamic Address Group for untrusted sites

Create a Security Policy rule with vulnerability Security Profile attached.

Enable the "Block sessions with untrusted issuers" setting.

Which statement is correct given the following message from the PanGPA log on the GlobalProtect app?Failed to connect to server at port:47 67

The PanGPA process failed to connect to the PanGPS process on port 4767

The PanGPS process failed to connect to the PanGPA process on port 4767

The GlobalProtect app failed to connect to the GlobalProtect Portal on port 4767

The PanGPA process failed to connect to the PanGPS process on port 4767

The GlobalProtect app failed to connect to the GlobalProtect Gateway on port 4767

A customer is replacing their legacy remote access VPN solution The current solution is in place to secure only internet egress for the connected clients Prisma Access has been selected to replace the current remote access VPN solutionDuring onboarding the following options and licenses were selected and enabled- Prisma Access for Remote Networks 300Mbps- Prisma Access for Mobile Users 1500 Users- Cortex Data Lake 2TB- Trusted Zones trust- Untrusted Zones untrust- Parent Device Group sharedHow can you configure Prisma Access to provide the same level of access as the current VPN solution?

Configure mobile users with trust-to-untrust Security policy rules to allow the desired traffic outbound to the internet

Configure mobile users with a service connection and trust-to-trust Security policy rules to allow the desired traffic outbound to the internet

Configure remote networks with a service connection and trust-to-untrust Security policy rules to allow the desired traffic outbound to the internet

Configure remote networks with trust-to-trust Security policy rules to allow the desired traffic outbound to the internet

What is the best description of the HA4 Keep-Alive Threshold (ms)?

the timeframe within which the firewall must receive keepalives from a cluster member to know that the cluster member is functional.

the maximum interval between hello packets that are sent to verify that the HA functionality on the other firewall is operational.

The time that a passive or active-secondary firewall will wait before taking over as the active or active-primary firewall

the timeframe within which the firewall must receive keepalives from a cluster member to know that the cluster member is functional.

The timeframe that the local firewall wait before going to Active state when another cluster member is preventing the cluster from fully synchronizing.

What is the function of a service route?

Service routes provide access to external services such as DNS servers external authentication servers or Palo Alto Networks services like the Customer Support Portal

The service route is the method required to use the firewall's management plane to provide services to applications

The service packets enter the firewall on the port assigned from the external service. The server sends its response to the configured destination interface and destination IP address

The service packets exit the firewall on the port assigned for the external service. The server sends its response to the configured source interface and source IP address

Service routes provide access to external services such as DNS servers external authentication servers or Palo Alto Networks services like the Customer Support Portal

What is considered the best practice with regards to zone protection?

Review DoS threat activity (ACC > Block Activity) and look for patterns of abuse

Use separate log-forwarding profiles to forward DoS and zone threshold event logs separately from other threat logs

If the levels of zone and DoS protection consume too many firewall resources, disable zone protection

Set the Alarm Rate threshold for event-log messages to high severity or critical severity

In the screenshot above which two pieces of information can be determined from the ACC configuration shown? (Choose two )

Insecure-credentials, brute-force and protocol-anomaly are all a part of the vulnerability Threat Type

The ACC has been filtered to only show the FTP application

The Network Activity tab will display all applications, including FTP.

Threats with a severity of "high" are always listed at the top of the Threat Name list

Insecure-credentials, brute-force and protocol-anomaly are all a part of the vulnerability Threat Type

The ACC has been filtered to only show the FTP application

A firewall has been assigned to a new template stack that contains both "Global" and "Local" templates in Panorama, and a successful commit and push has been performed. While validating the configuration on the local firewall, the engineer discovers that some settings are not being applied as intended.The setting values from the "Global" template are applied to the firewall instead of the "Local" template that has different values for the same settings.What should be done to ensure that the settings in the "Local" template are applied while maintaining settings from both templates?

Move the "Local" template above the "Global" template in the template stack.

Move the "Global" template above the "Local" template in the template stack.

Perform a commit and push with the "Force Template Values" option selected.

Move the "Local" template above the "Global" template in the template stack.

Override the values on the local firewall and apply the correct settings for each value.

WildFire will submit for analysis blocked files that match which profile settings?

files matching Anti-Virus signatures

files matching Anti-Spyware signatures

files that are blocked by URL filtering

files that are blocked by a File Blocking profile

files matching Anti-Virus signatures

An administrator needs to build Security rules in a Device Group that allow traffic to specific users and groups defined in Active Directory What must be configured in order to select users and groups for those rules from Panorama?

A master device with Group Mapping configured must be set in the device group where the Security rules are configured

The Security rules must be targeted to a firewall in the device group and have Group Mapping configured

A master device with Group Mapping configured must be set in the device group where the Security rules are configured

User-ID Redistribution must be configured on Panorama to ensure that all firewalls have the same mappings

A User-ID Certificate profile must be configured on Panorama

During the process of developing a decryption strategy and evaluating which websites are required for corporate users to access, several sites have been identified that cannot be decrypted due to technical reasons. In this case, the technical reason is unsupported ciphers. Traffic to these sites will therefore be blocked if decrypted How should the engineer proceed?

Add the sites to the SSL Decryption Exclusion list to exempt them from decryption

Allow the firewall to block the sites to improve the security posture

Add the sites to the SSL Decryption Exclusion list to exempt them from decryption

Install the unsupported cipher into the firewall to allow the sites to be decrypted

Create a Security policy to allow access to those sites

Palo Alto Networks PCNSE Practice Test 2 - Free Online Exam Prep & Questions

Question 1 / 40

An administrator analyzes the following portion of a VPN system log and notices the following issue "Received local id 10 10 1 4/24 type IPv4 address protocol 0 port 0, received remote id 10.1.10.4/24 type IPv4 address protocol 0 port 0."

What is the cause of the issue?

IPSec crypto profile mismatch

IPSec protocol mismatch

mismatched Proxy-IDs

bad local and peer identification IP addresses in the IKE gateway

Comment (0)

Palo Alto Networks PCNSE Practice Test 2

Question

Palo Alto Networks PCNSE Practice Tests

Practice Tests