PCNSE Certification 1-60

1- An administrator cannot see any traffic logs from the PA networks NGFW in Panorama reports. The configuration problem seems to be on the firewall. Which settings, if configured incorrectly, would most likely stop only the traffic logs from being sent from the NGFW to Panorama?. Security Policy Rule. Panorama Settings. Syslog Server Profile. Panorama Settings / Panorama Server.

2- Which will be the egress interface if the traffic's ingress interface is ethernet1/7 sourcing from 192.168.11.3 and to the destiination 10.46.41.113?. A. Ethernet 1/3. B. Ethernet 1/6. C. Ethernet 1/5. D. Ethernet 1/7.

3- The UDP-4501 protocol-port is used between which two Global protect components?. A. Global protect portal and Global Protect gateway. B. Global protect app and global protect portal. C. Global protect app and global protect satellite. D. Global protect app and global protect gateway.

4- In a security-first network, what is the recommended threshold value for apps and threats to be dynamically updated?. A. 6 to 12 hours. B. 36 hours. C. 24 hours. D. 1 to 4 hours.

5- Which statement is correct given the following message from the PanGPA.log on the global protect app? "Failed to connect to server at port 4767". A. The PanGPA process failed to connect to the PanGPS process on port 4767. B. The PanGPS process failed to connect to the PanGPA process on port 4767. C. The global protect app failed to connect to the global protect gateway on port 4767. D. The global protect app failed to connect to the global protect portal on port 4767.

6- A security engineer needs a firewall management access on a trusted interface. Which three settings are required on an SSL/TLS service profile to provide secure Web UI authentication? Select 3. A. Maximum TLS version. B. Minimum TLS version. C. Encryption algorithm. D. Authentication algorithm. E. Certificate.

7- SSL Forward proxy decryption is configured, but the firewall uses untrusted-CA to sign the website https://www.important-website.com certificate. End-users are receiving the "security certificate is not trusted" warning. Without SSL decryption, the web browser shows that the website certificate is trusted and signed by a well known certificate chain: well-know-intermediate and well-known-root-CA. The Network security administrator who represents the customer requires the following two behaviors when SSL forward proxy is enabled: 1- End-users must not get the warning for the https://www.very-important-website.com/ website. 2- End-users should get the warning for any other untrusted website. Which approach meets the two customer requirements?. A. Clear the forward untrusts certificate check box on the untrusted-ca certificate and commit the configuration. B. Navigate to device > certificate management > certificate > device certificate, import well-known-intermediate-CA and well-know-root-CA select the trusted root CA check box and commit the configuration. C. Navigate to device > certificate management > certificate > default trusted certificate authorities, import well-known-intermediate-CA and well-known-root-CA select the trusted root CA check box and commit the configuration. D. Install the well-known-intermediate-CA and well-known root-CA certificates on all end-users systems in the user and local computer stores.

8- With default TCP and UDP settings on the firewall, what will be the identified application in the following session? ( In real exam, check the IP protocol to answer properly). A- insufficient-data. B- unknown-udp. C. incomplete. D. unknown-tcp.

9. What type of address object would be useful for internal devices where the addressing structure assigns meaning to certain bits in the address, as illustrated in the diagram?. A. IP address. B. IP range. C. IP wildcard mask. D. IP netmask.

10- An administrator is using panorama to manage multiple firewalls. After upgrading all devices to the latest pan-os software, the administrator enables log forwarding from the firewalls to panorama. However, pre-existing logs from the firewalls are not appearing in panorama. Which action should be taken to enable the firewalls to send their pre-existing logs to panorama?. A. use the acc to consolidate the logs. B. use the scp logdb export command. C. use the import option to pull logs. D. export the log database.

11- Based on the graphic, which statement accurately describes the output shown in the Server Monitoting panel?. A. the host lab-client has been found by a domain controller. B. the user-id agent is connected to a domain controller labeled lab-client. C. the host lab-client has been found by the user-id agent. D. the user-id agent is connected to the firewall labeled lab-client.

12- Which global protect gateway setting is required to enable split tunneling by access route, destination domain and application?. A. satellite mode. B. ipsec mode. C. no direct access to local networks. D. tunnel mode.

13- An administrator is attempting to create policies for deployment of a device group and template stack. When creating the policies, the zone drop-down list does not include the required zone. What must the administrator do to correct this issue?. A. add a firewall to both the device group and the template. B. specify the target device as the master device in the device group. C. enable "share unused address and service objects with devices" in panorama settings. D. add the template as a reference template in the device group.

14- which protocol is supported by global protect clientless VPN?. A- FTP. B. RDP. C. HTTPS. D. SSH.

15- Which statement regarding HA timer settings is true?. A. use the aggressive profile for slower failover timer settings. B. use the moderate profile for typical failover timer settings. C. use the critical profile for faster failover timer settings. D. use the recommended profile for typical failover timer settings.

16- An administrator cannot see any traffic logs from the PA networks NGFW in Panorama reports. The configuration problem seems to be on the firewall. Which settings, if configured incorrectly, would most likely stop only the traffic logs from being sent from the NGFW to Panorama?. Security Policy Rule. Panorama Settings. Syslog Server Profile. Panorama Settings / Panorama Server.

17- Which feature of panorama allows an administrator to create a single network configuration that can be reused repeatedly for large-scale deployments even if values of configured objects, such as routes and interface addresses, change?. A. the "shared" device group. B. template stacks. C. template variables. D. a device group.

18- A network security engineer is attempting to peer a virtual router on a pan-os firewall with an external router using the BGP protocol. The peer relationship is not establishing. What command could the engineer run to see the current state of the BGP state between the two device?. A. show routing protocol bgp state. B. show routing protocol bgp peer. C. show routing protocol bgp summary. D. show routing protocol bgp rib-out.

19- A network administrator is trying to prevent domain username and password submissions to phising sites on some allowed URL categories. Which set of steps does the administrator need to take in the URL filtering profile to prevent credential phishing on the firewall?. Choose the URL categories in the User Credential Submission column and set action to block, select the User Credential Detection tab and select use IP user mapping. Commit. Choose the URL categories on the Site Access column and set action to block. Click the User Credential Detection tab and and select IP user mapping. Commit. Choose the URL categories in the User Credential Submission column and set action to block, select the User Credential Detection tab and select Use Domain Credential filter. Commit. Choose the URL categories in the User Credential Submission column and set action to block, select the URL filtering settings and enable Domain Credential Filter. Commit.

20- A network administrator configured a site to site VPN tunnel where the peer device will act as initiator. None of the peer addresses are known. What can the administrator configure to establish the VPN connection?. Configure the peer address as FQDN. Enable Passive Mode. Use the Dynamic IP Address type. Set up certificate authentication.

21- A remote administrator needs access to the firewall on an untrust interface. Which three options would you configure on an interface management profile to secure management access? Select 3. A. HTTPS. B. Permitted IP addresses. C. HTTP. D. SSH. E. User-ID.

22- Please, match the terms to their corresponding definitions. Management Plane. Signature Matching. Security Processing. Network Processing.

23- Which Panorama mode should be used so that all are sent to, and only stored in Cortex Data Lake?. Log Collector. Panorma. Management Only. Legacy.

24- What is the best description of the cluster synchronization timeout (min)?. The time frame within which the firewall must receive keepalives from a cluster member to know that the cluster member is functional. The maximum time that the local firewall waits before going to Active state when another cluster member is preventing the cluster from fully synchronizing. The time that a passive or active-secondary firewall will wait before taking over as the active or active-primary firewall. The maximun interval between hello packets that are sent to verify that the HA functionality on the other firewall is operational.

25- An administrator wants to configure the PA windows user-id agent to map ip addresses to usernames. The company uses four microsoft active directory servers and two microsoft exchange servers, which can provide logs for login events. All six servers have IP addresses assigned from the following subnet: 192.168.28.32/27. The microsoft active directory servers reside in 192.168.28.32/128, and the microsoft exchange servers reside in 192.168.28.48/28. What information does the administrator need to provide in the user identification > discovery section?. A. Network 192.168.28.32/28 with server type microsoft active directory and network 192.168.28.48/28 with server type microsoft exchange. B. Network 192.168.28.32/27 with server type microsoft. C. The ip address and corresponding server type (Microsoft active directory or microsoft exchange) for each of the six servers. D. One ip address of a microsoft active directory server and "Auto Discover" enabled to automatically obtain all five of the other servers.

26- An administrator connected a new fiber cable and transceiver to interface ethernet 1/1 on a PA firewall. However, the link does not seem to be coming up. If an administrator were to troubleshoot, how would they confirm the transceiver type, tx-power, x-power, vendor name, and part number via the CLI?. A. show system state filter sw.dev.interface.config. B. show chassis status slot s1. C. show system state filter ethernet 1/1. D. show system state filter-pretty sys.s1.*.

28- Which Panorama feature protects logs against data loss if a Panorama server fails?. A. Panorama Collector Group automatically ensures that no logs are lost if a server fails inside the Collector Group. B. Panorama HA automatically ensures that no logs are lost if a server fails inside the HA Cluster. C. Panorama Collector Group with Log Redundancy ensures that no logs are lost if a server fails inside the Collector Group. D. Panorama HA with Log Redundancy ensures that no logs are lost if a server fails inside the HA Cluster.

29- A firewall administrator has been tasked with ensuring that all Panorama configuration is committed and pushed to the devices at the end of the day at a certain time. How can they achieve this?. A. Use the Scheduled Config Push to schedule Push to Devices and separately schedule an API call to commit all Panorama changes. B. Use the Scheduled Config Export to schedule Commit to Panorama and also Push to Devices. C. Use the Scheduled Config Export to schedule Push to Devices and separately schedule an API call to commit all Panorama changes. D. Use the Scheduled Config Push to schedule Commit to Panorama and also Push to Devices.

30- An engineer is pushing configuration from Panorama to a managed firewall. What happens when the pushed Panorama configuration has Address Object names that duplicate the Address Objects already configured on the firewall?. A. The firewall rejects the pushed configuration, and the commit fails. B. The firewall fully commits all of the pushed configuration and overwrites its locally configured objects. C. The firewall ignores only the pushed objects that have the same name as the locally configured objects, and it will commit the rest of the pushed configuration. D. The firewall renames the duplicate local objects with "-1" at the end signifying they are clones; it will update the references to the objects accordingly and fully commit the pushed configuration.

31- Which User-id method should be used in a high security environment where all IP-address to users should always be explictly known?. A. GlobalProtect. B. LDAP Server Profile Configuration. C. Windows-Based User-id Agent. D. PAN-OS integrated User-id Agent.

32- An engineer manages a high availability network and requires fast failover of the routing protocols. The engineer decides to implement BFD. Which three dynamic routing protocols support BFD? select 3. A. OSPFv3 virtual link. B. OSPF. C. IGRP. D. BGP. E. RIP.

33- Given the screenshot, how did the firewall handle the traffic?. A. the traffic was allowed by policy but denied by profile as encrypted. B. traffic was allowed by profile but denied by policy as a threat. C. the traffic was allowed by policy but denied by profile as nonstandard port. D. the traffic was allowed by policy but denied by profile as a threat.

34- Review the images. A firewall policy that permits web traffic includes the global-logs policy is depicted. What is the result of traffic that matches the "Alert-Threats" profile match list?. A. The source address of SMTP traffic that matches a threat is automatically blocked as BadGuys for 180 minutes. B. The source address of traffic that matches a threat is automatically blocked as BadGuys for 180 minutes. C. The source address of SMTP traffic that matches a threat is automatically tagged as BadGuys for 180 minutes. D. The source address of traffic that matches a threat is automatically tagged as BadGuys for 180 minutes.

35- A firewall administrator wants to have visibility on one segment of the company network. The traffic on the segment is routed on backbone switch. The administrator is planning to apply security rules on segment X after getting the visibility. There is already a pan-os firewall used in L3 mode as an internet gateway, and there are enough system resources to get extra traffic on the firewall. The administrator needs to complete this operation with minimum service interruptions and without making any IP changes. What is the best option for the administrator to take?. A- configure vwire interfaces for segment X on the firewall. B- configure a layer 3 interface for segment X on the firewall. C. configure the TAP interface for segment X on the firewall. D. configure a new vsys for segment X on the firewall.

36- An auditor is evaluating the configuration of panorama and notices a discrepancy between the panorama template and the local firewall configuration. A. Only panorama can revert the override. B. Panorama will update the template with the overridden value. C. The firewall template will show that it is out of sync within panorama. D. Panorama will lose visibility into the overridden configuration.

37- A network security administrator wants to begin inspecting bulk user HTTPS traffic flows egressing out of the internet edge firewall. A. A Machine Certificate for the firewall signed by the organization’s PKI. B. A web server certificate signed by the organization’s PKI. C. A subordinate Certificate Authority certificate signed by the organization’s PKI. D. A self-signed Certificate Authority certificate generated by the firewall.

38- What is the best definition of the Heartbeat Interval?. A. The interval during which the firewall will remain active following a link monitor failure. B. The frequency at which the HA peers exchange ping. C. The interval in milliseconds between hello packets. D. The frequency at which the HA peers check link or path availability.

39. An engineer decides to use Panorama to upgrade devices to PAN-OS 10.2. Which three platforms support PAN-OS 10.2? (Choose three.). A. PA-220. B. PA-800 Series. C. PA-5000. D. PA-500. E. PA-3400 Series.

40. Which three options does panorama offer for deploying dynamic updates to its managed devices? Choose three. A. Verify. B. Revert content. C. Schedules. D. Install. E. Check dependencies.

41- A network administrator is troubleshooting an issue with Phase 2 of an IPsec VPN tunnel. The administrator determines that the lifetime needs to be changed to match the peer. Where should this change be made?. A. IKE gateway profile. B. IPsec tunnel settings. C. IPsec crypto profile. D. IKE crypto profile.

42- Given the following snippet of a WildFire submission log, did the end user successfully download a file?. A. No, because the action for the wildfire-virus is "reset-both". B. yes, because both the web-browsing application and the flash file have the "alert" action. C. Yes, because the final action is set to "allow". D. No, because the URL generated an alert.

43- During the implementation of SSL forward proxy decryption, an administrator imports the company's enterprise root CA and intermediate CA certificate onto the firewall. The company's root and intermediate CA certificates are also distributed to trusted devices using group policy and global protect. Additional device certificates and or subordinate certificates requiring an enterprise CA chain of trust are signed by the company's intermediate CA. Which method should the administrator use when creating forward trust and forward untrust certificate on the firewall for use with decryption?. A. Generate a CA certificate for forward trust and a self-signed CA for forward untrust. B. Generate a single self-signed CA certificate for forward trust and another for forward untrust. C. Generate a single subordinate CA certificate for both forward trust and forward untrust. D. Generate two subordinate CA certificate, one for forward trust and one for forward untrust.

44- A system administrator runs a port scan using the company tool as part of vulnerability check. The administrator finds that the scan is identified as a threat and is dropped by the firewall. After further investigating the logs, the administrator finds that the scan is dropped in the Threat logs. What should the administrator do to allow the tool to scan through the firewall?. A. Add the tool ip address to the reconnaissance protection source address exclusion in the DoS protection profile. B. Change the TCP port scan action from block to alert in the zone protection profile. C. Add the tool IP adress to the reconnaissance protection source address exclusion in the zone protection profile. D. Remove the zone protection profile from the zone setting.

45- Using the above screenshot of the ACC, which is the best method to set a global filter, narrow down blocked user activity, and locate the user(s) that could be compromised by a botnet?. A. Click the hyperlink for the botnet threat category. B. Click the source user with the highest threat count. C. Click the hyperlink for the ZeroAccess gen threat. D. Click the left arrow beside the ZeroAccess Gen Threat.

46- An engineer is designing a deployment of multi-vysys firewalls. What must be taken into consideration when designing the device group structure?. A- Only one vsys or one firewall can be assigned to a device group, except for a multi-vsys firewall, which must have all its vsys in a single device group. B. Multiple vsys and firewalls can be assigned to a device group, and a multi-vsys firewall can have each vsys in a different device group. C. Multiple vsys and firewalls can be assigned to a device group, and a multi vsys firewall must have all its vsys in a single device group. D. Only one vsys or one firewall can be assigned to a device group, and a multi-vsys firewall can have each vsys in a different device group.

47- An engineer troubleshooting a VPN issue needs to manually initiate a VPN tunnel from CLI. Which CLI command can the engineer use?. A. test vpn gateway. B. test vpn flow. C. test vpn ike-sa. D. test vpn tunnel.

48- An engineer needs to collect user-id mappings from the company's existing proxies. What two methods can be used to pull this data from third party proxies? Choose 2. A. Server monitoring. B. XFF hearders. C. Syslog. D. Client probing.

49- Based on the screenshots above, and with no configuration inside the template stack itself, what access will the device permit on its management port?. A. The firewall will allow HTTP, Telnet, HTTPS, SSH, and Ping from ip addresses defined as $permitted-subnet2. B. The firewall will allow HTTP, Telnet, SNMP, HTTPS, SSH, And Ping from ip addresses defined as $permited-subnet-1 and $permitted-subnet-2. C. The firewall will allow HTTP, Telnet, HTTPS, SSH, and Ping from ip addresses defined as $permitted-subnet-1. D. The firewall will allow HTTP, Telnet, HTTPS, SSH, and Ping from ip addresses defined as $permitted-subnet-1 and $permitted-subnet-2.

50- As a best practice, logging at session start should be used in which case?. A. While troubleshooting. B. Only on Deny rules. C. Only when log at session end is enabled. D. On all Allow rules.

27- A network engineer has discovered that asymetric routing is causing a PaloAlto Networks firewall to drop traffic. The network architecture can not be changed to correct this. Which two actions can be taken on the firewall to allow the dropped traffic permanently?. (Choose two). A. # set deviceconfig setting session tcp-reject-non-syn-no. B- Navigate the network > Zone protection Click Add Select Packet Based Attack Protection > TCP/IP drop Set "Reject Non Syn TCP" to No Set "Asymetric Path" to Bypass. C- Navigate to network > Zone protection Click Add Select Packet Based Attack Protection > TCP/IP drop Set "Reject Non Syn TCP" to Global Set "Asymetric Path" to Global. D- > set session tcp-reject-non-syn-no.

51- What must be configured to apply tags automatically to User-ID logs?. A. User mapping. B. Log Forwarding profile. C. Log settings. D. Group mapping.

52- View the screenshots. A QoS profile and policy rules are configured as shown. Based on this information, Which two statements are correct? Select two. A. DNS has a higher priority and more bandwitdth than SSH. B. Facetime has a higher priority but lower bandwidth than zoom. C. SMTP has a higher priority but lower bandwidth than zoom. D. Google-video has a higher priority and more bandwidth than WebEx.

53- Review the screenshots and consider the following information: 1- FW-1 is assigned to the FW-1_DG device group, and FW-2 is assigned to OFFICE_FW_DC. 2. There are no objects configured in REGIONAL_DG and OFFICE_FW_DG device groups. Which ip address will be pushed to the firewalls inside address object Server-1?. A. Server-1 on FW-1 will have ip 3.3.3.3 and Server-1 will not be pushed to FW-2. B. Server-1 on FW-1 will have ip 2.2.2.2 and Server-1 will not be pushed to FW-2. C. Server-1 on FW-1 will have ip 1.1.1.1 and Server-1 will not be pushed to FW-2. D. Server-1 on FW-1 will have ip 4.4.4.4 and Server-1 on FW-2 will have ip 1.1.1.1.

54- Which three firewall multi-factor authentication factors are supported by PAN-OS? (Choose three.). A. Short message service. B. Push. C. User logon. D. One-Time Password. C. SSH key.

55- The decision to upgrade to pan-os 10.2 has been approved. The engineer begins the process by upgrading the panorama servers, but gets an error when trying to install. When performing an upgrade on panorama to pan-os 10.2, what is the potential cause of a failed install?. A. Management only mode. B. Global protect agent version. C. Expired certificate. D. Outdated plugins.

56- Which two policy components are required to block traffic in real time using a dynamic user group (DUG)? (Choose two.). A. A Decryption policy to decrypt the traffic and see the tag. B. A Deny policy with the “tag” App-ID to block the tagged traffic. C. An Allow policy for the initial traffic. D. A Deny policy for the tagged traffic.

57- A company has configured global protect to allow their users to work from home. A decrease in performance for remote workers has been reported during peak-use hours. Which two steps are likely to mitigate the issue? choose 2. A. Create a tunnel inspection policy. B. Enable decryption. C. Block traffic that is not work-related. D. Exclude video traffic.

58- An administrator needs to identify which NAT policy is being used for internet traffic. From the gui of the firewall, how can the administrator identify which NAT policy is in use for a traffic flow?. A. From the monitor tab, click session browser and review the session details. B. From the monitor tab, click traffic view: ensure that the source or destination NAT columns are included and review the information in the detailed log view. C. From the monitor tab, click app scope > network monitor and filter the report for NAT rules. D. From the monitor tab. Click traffic view and review the information in the detailed log view.

59- An engineer is bootstrapping a VM-series firewall. Other than the /config folder, which three directories are mandatory as part of the bootstrap package directory structure? choose 3. A. /plugins. B. /software. C. /license. D. /opt. E. /content.

60- An administrator is configuring a Panorama device group.Which two objects are configurable? (Choose two.). A. URL Filtering profiles. B. SSL/TLS profiles. C. Address groups. D. DNS Proxy.