PCNSE Certification 252-301

252- Which three sessions are created by a NGFW for web proxy? (Choose three.). a session for web server to client. a session for DNS proxy to DNS server. a session for proxy to authentication server. a session for client to proxy. a session for proxy to web servers.

253- Which two scripting file types require direct upload to the Advanced WildFire portal/APl for analysis? (Choose two.). Phyton. Perl. PS1. VBS.

254- What type of NAT is required to configure transparent proxy?. destination ​ translation with static ip. destination ​ translation with dynamic ip. source translation with dynamic ip and port. source translation with static ip.

255- An administrator is troubleshooting intermittent connectivity problems with a user’s GlobalProtect connection. Packet captures at the firewall reveal missing UDP packets, suggesting potential packet loss on the connection. The administrator aims to resolve the issue by enforcing an SSL tunnel over TCP specifically for this user. What configuration change is necessary to implement this troubleshooting solution for the user?. Enable SSL tunnel over TCP in a new agent configuration for the specific user. Modify the user’s client to prioritize UDP traffic for GlobalProtect. Enable SSL tunnel! within the GlobalProtect gateway remote user’s settings. Increase the user’s VPN bandwidth allocation in the GlobalProtect settings.

256- An administrator plans to install the Windows-Based User-ID Agent to prevent credential phishing. Which installer package file should the administrator download from the support site?. UaCredlInstall64-11.0.0.msi. Globalprotect64-6.2.1.msi. talInstall-11.0.0.msi. UalInstall-11.0.0.msi.

257- Certain services in a customer implementation are not working, including Palo Alto Networks Dynamic version updates. Which CLI command can the firewall administrator use to verify if the service routes were correctly installed and that they are active in the Management Plane?. show routing route type service-route. debug dataplane internal vif route 250. debug dataplane internal vif route 255. show routing route type management.

258- A company wants to use GlobalProtect as its remote access VPN solution. Which GlobalProtect features require a Gateway license?. Multiple external gateways. Single or multiple internal gateways. Split DNS and HIP checks. IPv6 for internal gateways.

259- Which statement accurately describes how web proxy is run on a firewall with multiple virtual systems?. It can run only on a single virtual system. It can run only on a virtual system with an alias named “web proxy.”. It can run on a single virtual system and multiple virtual systems. It can run on multiple virtual systems without issue.

260- An administrator configures HA on a customer’s Palo Alto Networks firewalls with path monitoring by using the default configuration values. What are the default values for ping interval and ping count before a failover is triggered?. Ping interval of 200 ms and ping count of three failed pings. Ping interval of 200 ms and ping count of 10 failed pings. Ping interval of 5000 ms and ping count of 10 failed pings. Ping interval of 5000 ms and ping count of three failed pings.

261- Ping interval of 5000 ms and ping count of three failed pings. Adjust the UDP queries for the DNS proxy to allow both DNS servers to be tried within 20 seconds. DNS timeout for web proxy can be configured manually, and it should be set to the highest value possible. A secondary DNS server in the DNS proxy is optional, and configuration commit to the firewall will succeed with only one DNS server. A maximum of two FQDNs can be mapped to an IP address in the static entries for DNS proxy.

262- An administrator plans to install the Windows-Based User-ID Agent. What type of Active Directory (AD) service account should the administrator use?. Dedicated Service Account. Enterprise Administrator. System Account. Domain Administrator.

263- An administrator wants to add User-ID information for their Citrix MetaFrame Presentation Server (MPS) users. Which option should the administrator use?. Terminal Server Agent for User Mapping. Windows-Based User-ID Agent. PAN-OS XML API. PAN-OS Integrated User-ID Agent.

264- When creating a Policy-Based Forwarding (PBF) policy, which two components can be used? (Choose two.)". Custom Application. Source Interface. Source Device. Schedule.

265- A company configures its WildFire analysis profile to forward any file type to the WildFire public cloud. A company employee receives an email containing an unknown link that downloads a malicious Portable Executable (PE) file. What does Advanced WildFire do when the link is clicked?. Does not perform malicious content analysis on either the linked page or the corresponding PE file. Does not perform malicious content analysis on the linked page, but performs it on the corresponding PE file. Performs malicious content analysis on the linked page, but not the corresponding PE file. Performs malicious content analysis on the linked page and the corresponding PE file.

266- A company is expanding its existing log storage and alerting solutions. All company Palo Alto Networks firewalls currently forward logs to Panorama. Which two additional log forwarding methods will PAN-OS support? (Choose two.). TLS. SSL. HTTP. Email.

267- A firewall administrator manages sets of firewalls which must have two unique idle timeout values. Datacenter firewalls need to be set to 20 minutes and BranchOffice firewalls need to be set to 30 minutes. "How can the administrator assign these settings through the use of template stacks?. Create two separate template stacks, one each for Datacenter and BranchOffice, and verify that Datacenter_Template and BranchOffice_Template are at the top of their stack. Create two separate template stacks, one each for Datacenter and BranchOffice, and verify that Datacenter_Template and BranchOffice_Template are at the bottom of their stack. Create one template stack and place the BranchOffice_Template in higher priority than Datacenter_Template. Create one template stack and place the Datacenter_Template in higher priority than BranchOffice_Template.

268- A security engineer has configured a GlobalProtect portal agent with four gateways. Which GlobalProtect Gateway will users connect to based on the chart provided?. Central. South. East. West.

269- A company wants to deploy IPv6 on its network, which requires that all company Palo Alto Networks firewalls process IPv6 traffic and to be configured with IPv6 addresses. Which consideration should the engineers take into account when planning to enable IPv6?. Device > Setup Settings. Enable on each interface. Network > Zone Settings. Do not enable on each interface. Network > Zone Settings. Enable on each interface. Device > Setup Settings. Do not enable on each interface.

270- Which conditions must be met when provisioning a high availability (HA) cluster? (Choose two.). Panorama must be used to manage HA cluster members. HA cluster members must be the same firewall model and run the same PAN-OS version. HA cluster members must share the same zone names. Dedicated HA communication interfaces for the cluster must be used over HA1/HA2 interfaces (HSCI).

271- An existing log forwarding profile is currently configured to forward all threat logs to Panorama. The firewall engineer wants to add syslog as an additional log forwarding method. The requirement is to forward only medium or higher severity threat logs to syslog. Forwarding to Panorama must not be changed. Which set of actions should the engineer take to achieve this goal?. Create a new log forwarding profile. ​ ​ ​ 2 Add a new match list for threat log type. ​ ​ ​ 3 Define the filter. ​ ​ ​ 4 Select the syslog forward method. Open the current log forwarding profile. ​ ​ ​ 2 Add a new match list for threat log type. ​ ​ ​ 3 Define the filter. ​ ​ ​ 4 Select the syslog forward method. Open the current log forwarding profile. ​ ​ ​ 2 Open the existing match list for threat log type. ​ ​ ​ 3 Define the filter. ​ ​ ​ 4 Select the syslog forward method. Create a new log forwarding profile. ​ ​ ​ 2 Add a new match list for threat log type. ​ ​ ​ 3 Define the filter. ​ ​ ​ 4 Select the Panorama and syslog forward methods.

272- A customer would like to support Apple Bonjour in their environment for ease of configuration. Which type of interface is needed on their PA-3200 Series firewall to enable Bonjour Reflector in a segmented network?. Loopback interface. Layer 3 interface. Layer 2 interface. Virtual Wire interface.

273- An administrator needs to validate that policies that will be deployed will match the appropriate rules in the device-group hierarchy. Which tool can the administrator use to review the policy creation logic and verify that unwanted traffic is not allowed?. Test Policy Match. Managed Devices Health. Preview Changes. Policy Optimizer.

274- An organization has recently migrated its infrastructure and configuration to NGFWs, for which Panorama manages the devices. The organization is coming from a L2-L4 firewall vendor but wants to use AppID while identifying policies that are no longer needed. Which Panorama tool can help this organization?. Config Audit. Application Groups. Policy Optimizer. Policy Optimizer.

275- A network engineer troubleshoots a VPN Phase 2 mismatch and decides that PFS (Perfect Forward Secrecy) needs to be enabled. What action should the engineer take. Select the appropriate DH Group under the IPSec Crypto profile. Add an authentication algorithm in the IPSec Crypto profile. Enable PFS under the IPSec Tunnel advanced options. Enable PFS under the IKE gateway advanced options.

276- A standalone firewall with local objects and policies needs to be migrated into Panorama. What procedure should you use so Panorama is fully managing the firewall?. Use the "import device configuration to Panorama" operation, then perform a device-group commit push with "include device and network templates". Use the "import Panorama configuration snapshot" operation, then "export or push device config bundle" to push the configuration. Use the "import device configuration to Panorama" operation, then "export or push device config bundle" to push the configuration. Use the "import Panorama configuration snapshot" operation, then perform a device-group commit push with "include device and network templates".

277- What is the most likely reason for this decryption error log ?. The certificate fingerprint could not be found. The client expected a certificate from a different CA than the one provided. The client receive a CA certificate that has expired or is not valid. Entrust is not a trusted root certificate authority (CA).

278- Users have reported an issue when they are trying to access a server on your network. The requests aren’t taking the expected route. You discover that there are two different static routes on the firewall for the server. What is used to determine which route has priority?. Bidirectional Forwarding Detection. The first route installed. The route with the lowest administrative distance. The route with the highest administrative distance.

279- An engineer is configuring secure web access (HTTPS) to a Palo Alto Networks firewall for management. Which profile should be configured to ensure that management access via web browsers is encrypted with a trusted certificate?. An SSL/TLS Service profile with a certificate assigned. An Interface Management profile with HTTP and HTTPS enabled. An Authentication profile with the allow list of users. A Certificate profile with a trusted root CA.

280- A company uses GlobalProtect for its VPN and wants to allow access to users who have only an endpoint solution installed. Which sequence of configuration steps will allow access only for hosts that have antivirus or anti-spyware enabled?. Create Security Profiles for Antivirus and Anti-Spyware. ​ ​ ​ ​ ​ Create Security Profile Group that includes the Antivirus and Anti-Spyware profile. ​ ​ ​ ​ ​ Enable GlobalProtect Gateway Agent to collect HIP Data Collection. ​ ​ ​ ​ ​ Create a Security policy that has the Profile Setting - Profile Type selected to Group. ​ ​ ​ ​ ​ Enable GlobalProtect Portal Agent for HIP Notification. Create Security Profiles for Antivirus and Anti-Spyware. ​ ​ ​ ​ ​ Create Security Profile Group that includes the Antivirus and Anti-Spyware profiles. ​ ​ ​ ​ ​ Enable GlobalProtect Portal Agent to collect HIP Data Collection. ​ ​ ​ ​ ​ Create a Security policy that matches source device object. ​ ​ ​ ​ ​ Enable GlobalProtect Gateway Agent for HIP Notification. Create a HIP Object with Anti-Malware enabled and Real Time Protection set to yes. ​ ​ ​ ​ ​ Create a HIP Profile that matches the HIP object criteria. ​ ​ ​ ​ ​ Enable GlobalProtect Gateway Agent to collect HIP Data Collection. ​ ​ ​ ​ ​ Create a Security policy that matches source device object. ​ ​ ​ ​ ​ Enable GlobalProtect Portal Agent for HIP Notification. Create a HIP Object with Anti-Malware enabled and Real Time Protection set to yes. ​ ​ ​ ​ ​ Create a HIP Profile that matches the HIP object criteria. ​ ​ ​ ​ ​ Enable GlobalProtect Portal Agent to collect HIP Data Collection. ​ ​ ​ ​ ​ Create a Security policy that matches source HIP profile. ​ ​ ​ ​ ​ Enable GlobalProtect Gateway Agent for HIP Notification.

281- What action does a firewall take when a Decryption profile allows unsupported modes and unsupported traffic with TLS 1.2 protocol traverses the firewall?. It generates a decryption error message but allows the traffic to continue decryption. It automatically adds the server to the SSL Decryption Exclusion list. It blocks all communication with the server indefinitely. It downgrades the protocol to ensure compatibility.

282- A security engineer is informed that the vulnerability protection profile of their on-premises Palo Alto Networks firewall is triggering on a common Threat ID, and which has been determined to be a false positive. The engineer is asked to resolve the issue as soon as possible because it is causing an outage for a critical service. The engineer opens the vulnerability protection profile to add the exception, but the Threat ID is missing. Which action is the most operationally efficient for the security engineer to find and implement the exception?. Open a support case. Review traffic logs to add the exception from there. Review high severity system logs to identify why the threat is missing in Vulnerability Profile Exceptions. Review high severity system logs to identify why the threat is missing in Vulnerability Profile Exceptions.

283- A company has a PA-3220 NGFW at the edge of its network and wants to use active directory groups in its Security policy rules. There are 150 groups in its active directory. An engineer has been provided 800 active directory groups to be used in the Security policy rules. What is the engineer's next step?. Create two Group Mappings, each with 400 groups in the Group Include List. Create a Group Include List with the 800 Active Directory groups. Create a Group Mapping with 800 groups in the Group Include List. Create two Group Include Lists, each with 400 Active Directory groups.

284- An administrator configures a preemptive active-passive high availability (HA) pair of firewalls and configures the HA election settings on firewall-02 with a device priority value of 100, and firewall-01 with a device priority value of 90. When firewall-01 is rebooted, is there any action taken by the firewalls?. Yes - Firewall-02 takes over as the active-primary firewall; firewall-02 remains the active-primary member; after firewall-01 becomes functional. No - Neither firewall takes any action because firewall-01 cannot be rebooted when configured with device priority of 90. No - Neither firewall takes any action because firewall-02 is already the active-primary member. Yes - Firewall-02 takes over as the active-primary firewall/firewall-01 takes over as the active-primary member after it becomes functional.

285- Which tool will allow review of the policy creation logic to verify that unwanted traffic is not allowed?. Managed Devices Health. Test Policy Match. Policy Optimizer. Preview Change.

286- What is the benefit of the artificial intelligence operations (AlOps) Plugin for Panorama?. The AlOps plugin in Panorama retroactively checks the policy changes during the commits. It proactively enforces best practices by validating new commits and advising if a policy needs work before pushing it to Panorama. It automatically pushes the configuration to Panorama after strengthening the overall security posture. The AlOps plugin in Panorama auto-corrects the security rules that failed the Best Practice Assessment.

287- How can a firewall be set up to automatically block users as soon as they are found to exhibit malicious behavior via a threat log?. "Configure the appropriate security profiles for Antivirus, Anti-Spyware, and Vulnerability Prevention, create signature policies for the relevant signatures and/or severities. Under the “Actions” tab in “Signature Policies,” select “block-user”. Configure a User ID agent for the users to be blocked. In a rule containing that user group, set the action to “Deny,” and apply Threat Prevention profiles. This will automatically block any malicious users detected in the threat log. Configure a dynamic address group for the addresses to be blocked with the tag “malicious.” Add a Log Forwarding profile to the other policies, which adds the “malicious” tag to these addresses when logs are generated in the threat log. Under Docker → User Identification → Trusted Source Address, add the condition “NOT malicious. Configure a dynamic user group for the users to be blocked with the tag “malicious.” Add a Log Forwarding profile to the other policies, which adds the “malicious” tag to these users when logs are generated in the threat log. Create policies to block traffic from this user group.

288- During a routine security audit, the risk and compliance team notices a series of WildFire logs that contain a \"malicious\" verdict and the action \"allow\" Upon further inspection, the team confirms that these same threats are automatically blocked by the firewalls the following day. How can the existing configuration be adjusted to ensure that new threats are blocked within minutes instead of having to wait until the following day?. Confirm the file types and direction are configured correctly in the WildFire analysis profile. Configure the appropriate actions in the file blocking profile. Configure the appropriate actions in the antivirus security profile. Confirm the file size limits are configured correctly in the WildFire general settings.

289- An enterprise network security team is deploying VM-Series firewalls in a multi-cloud environment. Some firewalls are deployed in VMware NSX-V, while others are in AWS, and all are centrally managed using Panorama with the appropriate plugins installed. The team wants to streamline policy management by organizing the firewalls into device groups in which the AWS-based firewalls act as a parent device group, while the NSX-V firewalls are configured as a child device group to inherit Security policies. However, after configuring the device group hierarchy and attempting to push configurations, the team receives errors, and policy inheritance is not functioning as expected. What is the most likely cause of this issue?. Panorama requires the objects to be overridden in the child device group before firewalls in different hypervisors can inherit Security policies. Panorama must use the same plugin version numbers for both AWS and NSX-V environments before device group inheritance can function properly. Panorama does not support policy inheritance across device groups containing firewalls deployed in different hypervisors when using multiple plugins. Panorama by default does not allow different hypervisors in parent/child device groups, but this can be overridden with the command.

290- What must be taken into consideration when preparing a log forwarding design for all of a customer’s deployed Palo Alto Networks firewalls?. App-ID engine will not identify any application traffic unless the "Enable enhanced application logging" option is selected. Traffic and threat logs will not be forwarded unless the relevant Log Forwarding profile is attached to the security rules. Traffic and threat logs will not be forwarded unless the relevant Log Forwarding profile is selected in "Logging and Reporting Settings. The logs will not contain the names of the identified applications unless the "Enable enhanced application logging" option is selected.

291- A customer wants to enhance the protection provided by their Palo Alto Networks NGFW deployment to cover public-facing company-owned domains from misconfigurations that point records to third-party sources. Which two actions should the network administrator perform to achieve this goal? (Choose two.). Create or update a Vulnerability Protection profile to the DNS Policies/DNS Zone Misconfiguration section, then add the domains to be protected. Create or update an Anti-Spyware profile, go to the DNS Policies/DNS Zone Misconfiguration section, then add the domains to be protected. Verify the NGFWs have the Advanced DNS Security and Advanced Threat Prevention licenses installed and validated. Verify the NGFWs have the Advanced DNS Security and Advanced URL Filtering licenses installed and validated.

292- A firewall architect is attempting to install a new Palo Alto Networks NGFW. The company has previously had issues moving all administrative functions onto a data plane interface to meet the design limitations of the environment. The architect is able to access the device for HTTPS and SSH; however, the NGFW can neither validate licensing nor get updates. Which action taken by the architect will resolve this issue. Validate that all upstream devices will allow and property route the outbound traffic to the external destinations needed. Create a loopback from the management interface to the data plane interface, then make a service route from the management interface to the data plane interface. Enable OCSP for the data plane interface so the firewall will create a certificate with the data plane interface’s IP. Create a service route that sets the source interface to the data plane interface in question.

293- A company CISO updates the business Security policy to identify vulnerable assets and services and deploy protection for quantum-related attacks. As a part of this update, the firewall team is reviewing the cryptography used by any devices they manage. The firewall architect is reviewing the Palo Alto Networks NGFWs for their VPN tunnel configurations. It is noted in the review that the NGFWs are running PAN-OS 11.2. Which two NGFW settings could the firewall architect recommend to deploy protections per the new policy? (Choose two.). IPSEC with Hybrid ID exchange. IKEv2 with Post-Quantum Pre-shared Keys. IKEv1 only to deactivate the use of public key encryption. IKEv2 with Hybrid Key exchange.

294- Which two actions can the administrative role called "vsysadmin" perform?(Choose two.). Configure interfaces and subinterfaces that exist in the assigned vsys. Create and edit Security policies and security profiles for only the assigned vsys. Configure resource limits for the NGFW system. Commit changes made to the candidate configuration of the assigned vsys.

295- Users are intermittently being cut off from local resources whenever they connect to GlobalProtect. After researching, it is determined that this is caused by an incorrect setting on one of the NGFWs. Which action will resolve this issue?. Change the "GlobalProtect Gateway - Agent -> Network Services -> Split Tunnel -> No direct access to local network" setting to "off". Change the "GlobalProtect Portal -> Agent -> App -> Split Tunnel -> No direct access to local network" setting to "off. Change the "GlobalProtect Gateway -> Agent -> Client Settings -> Split Tunnel -> No direct access to local network" setting to "off ". Change the "GlobalProtect Portal -> Satellite -> Gateways -> No direct access to local network" setting to "off".

296- A firewall engineer is migrating port-based rules to application-based rules by using the Policy Optimizer. The engineer needs to ensure that the new application-based rules are future proofed, and that they will continue to match if the existing signatures for a specific application are expanded with new child applications. Which action will meet the requirement while ensuring that traffic unrelated to the specific application is not matched?. Add specific applications that are seen when creating cloned rules. Create a custom application and define it by the correct TCP and UDP ports. Create an application filter based on the existing application category and risk. Add the relevant container application when creating cloned rules.

297- Which statement explains the difference between using the PAN-OS integrated User-ID agent and the standalone User-ID agent when using Active Directory for user-to-IP mapping?. The standalone User-ID agent must run directly on the domain controller server. The PAN-OS integrated User-ID agent consumes fewer resources on the NGFW's management CPU. The PAN-OS integrated User-ID agent must be a member of the Active Directory domain. The standalone User-ID agent consumes fewer resources on the NGFW's management CPU.

298- An organization uses the User-ID agent to control access to sensitive internal resources. A firewall engineer adds Security policies to ensure only User A has access to a specific resource. User A was able to access the resource without issue before the updated policies, but now is having intermittent connectivity issues. What is the most likely resolution to this issue?. Add the subnets of both the user machine and the resource to the \"Include List in the User-ID agent configuration. Remove the identity redistribution rules synced from Cloud Identity Engine from the User-ID agent configuration. Remove the rate-limiting rule that is assigned to User A access from the User-ID agent configuration. Add service accounts running on that machine to the \"Ignore User List\" in the User-ID agent setup.

299- Which translated port number should be used when configuring a NAT rule for transparent proxy?. 4443. 443. 8080. 80.

300- Panorama is being used to upgrade the PAN-OS version on a pair of firewalls in an active/passive high availability (HA) steps have been completed in Panorama (Panorama upgraded, backups made, content updates and disabling "Preemptive" pushed), and the firewalls are ready for upgrade. What is the next best step to minimize downtime and ensure a smooth transition?. Suspend the active firewall, upgrade it first, and reboot to verify it comes back online before upgrading the passive peer. Upgrade both HA peers at the same time using Panorama's \"Group HA Peers\" option to ensure version consistency. Upgrade only the passive peer first, reboot it, restore HA functionality, and then upgrade the active peer. Perform the upgrade on the active firewall first while keeping the passive peer online to maintain failover capability.

301- Forwarding of which two log types is configured in Objects -> Log Forwarding? (Choose two.). UserID. Wildfire. GlobalProtect. Authentication.