Palo Alto Networks PCNSE Study Guide Updated – Practice The Latest PCNSE Exam Questions

1. An enterprise information Security team has deployed policies based on AD groups to restrict user access to critical infrastructure systems However a recent phisning campaign against the organization has prompted Information Security to look for more controls that can secure access to critical assets For users that need to access these systems Information Security wants to use PAN-OS multi-factor authentication (MFA) integration to enforce MFA.

What should the enterprise do to use PAN-OS MFA1?

2. What can an engineer use with GlobalProtect to distribute user-specific client certificates to each GlobalProtect user?

3. You need to allow users to access the office-suite applications of their choice.

How should you configure the firewall to allow access to any office-suite application?

4. the firewall's device group as post-rules

How will the rule order populate once pushed to the firewall?

5. When using certificate authentication for firewall administration, which method is used for authorization?

6. Which statement accurately describes service routes and virtual systems?

7. Which statement regarding HA timer settings is true?

8. Your company occupies one floor in a single building. You have two Active Directory domain controllers on a single network. The firewall's management-plane resources are lightly utilized.

Given the size of this environment, which User-ID collection method is sufficient?

9. In SSL Forward Proxy decryption, which two certificates can be used for certificate signing? (Choose two.)

10. You have upgraded your Panorama and Log Collectors lo 10.2 x. Before upgrading your firewalls using Panorama, what do you need do?

11. The manager of the network security team has asked you to help configure the company's Security Profiles according to Palo Alto Networks best practice. As part of that effort, the manager has assigned you the Vulnerability Protection profile for the internet gateway firewall.

Which action and packet-capture setting for items of high severity and critical severity best matches Palo Alto Networks best practice?

12. When configuring forward error correction (FEC) for PAN-OS SD-WAN, an administrator would turn on the feature inside which type of SD-WAN profile?

13. A customer is replacing their legacy remote access VPN solution. The current solution is in place to secure only internet egress for the connected clients Prisma Access has been selected to replace the current remote access VPN solution.

During onboarding the following options and licenses were selected and enabled

- Prisma Access for Remote Networks 300Mbps

- Prisma Access for Mobile Users 1500 Users

- Cortex Data Lake 2TB

- Trusted Zones trust

- Untrusted Zones untrust

- Parent Device Group shared

How can you configure Prisma Access to provide the same level of access as the current VPN solution?

14. Before an administrator of a VM-500 can enable DoS and zone protection, what actions need to be taken?

15. What can be used to create dynamic address groups?

16. An engineer is planning an SSL decryption implementation

Which of the following statements is a best practice for SSL decryption?

17. Which GlobalProtect component must be configured to enable Clientless VPN?

18. Before an administrator of a VM-500 can enable DoS and zone protection, what actions need to be taken?

19. An administrator wants to enable WildFire inline machine learning.

Which three file types does WildFire inline ML analyze? (Choose three.)

20. Which CLI command is used to determine how much disk space is allocated to logs?

21. Which statement best describes the Automated Commit Recovery feature?

22. Cortex XDR notifies an administrator about grayware on the endpoints. There are no entries about grayware in any of the logs of the corresponding firewall.

Which setting can the administrator configure on the firewall to log grayware verdicts?

23. Which three actions can Panorama perform when deploying PAN-OS images to its managed devices? (Choose three.)

24. A bootstrap USB flash drive has been prepared using a Windows workstation to load the initial configuration of a Palo Alto Networks firewall that was previously being used in a lab. The USB flash drive was formatted using file system FAT32 and the initial configuration is stored in a file named init-cfg txt. The firewall is currently running PAN-OS 10.0 and using a lab config.

The contents of init-cfg txi in the USB flash drive are as follows:

The USB flash drive has been inserted in the firewalls' USB port, and the firewall has been restarted using command:> request resort system Upon restart, the firewall fails to begin the bootstrapping process. The failure is caused because

25. Which Panorama mode should be used so that all logs are sent to, and only stored in. Cortex Data Lake?

26. What is the best description of the HA4 Keep-Alive Threshold (ms)?

27. Which configuration task is best for reducing load on the management plane?

28. When you navigate to Network: > GlobalProtect > Portals > Method section, which three options are available? (Choose three)

29. SAML SLO is supported for which two firewall features? (Choose two.)

30. A network security engineer must implement Quality of Service policies to ensure specific levels of delivery guarantees for various applications in the environment They want to ensure that they know as much as they can about QoS before deploying.

Which statement about the QoS feature is correct?

31. An administrator is building Security rules within a device group to block traffic to and from malicious locations

How should those rules be configured to ensure that they are evaluated with a high priority?

32. A firewall administrator needs to be able to inspect inbound HTTPS traffic on servers hosted in their DMZ to prevent the hosted service from being exploited.

Which combination of features can allow PAN-OS to detect exploit traffic in a session with TLS encapsulation?

33. You have upgraded Panorama to 10.2 and need to upgrade six Log Collectors.

When upgrading Log Collectors to 10.2, you must do what?

34. What is the best description of the HA4 Keep-Alive Threshold (ms)?

35. Which three use cases are valid reasons for requiring an Active/Active high availability deployment? (Choose three.)

36. The Aggregate Ethernet interface is showing down on a passive PA-7050 firewall of an active/passive HA pair. The HA Passive Link State is set to "Auto" under Device > High Availability > General > Active/Passive Settings. The AE interface is configured with LACP enabled and is up only on the active firewall.

Why is the AE interface showing down on the passive firewall?

37. Which three items are import considerations during SD-WAN configuration planning? (Choose three.)

38. An administrator has configured a pair of firewalls using high availability in Active/Passive mode. Link and Path Monitoring Is enabled with the Failure Condition set to "any." There is one link group configured containing member interfaces ethernet1/1 and ethernet1/2 with a Group Failure Condition set to "all."

Which HA state will the Active firewall go into if ethernet1/1 link goes down due to a failure?

39. What are three reasons for excluding a site from SSL decryption? (Choose three.)

40. Which configuration is backed up using the Scheduled Config Export feature in Panorama?

41. What happens when an A/P firewall cluster synchronies IPsec tunnel security associations (SAs)?

42. A firewall should be advertising the static route 10.2.0.0/24 Into OSPF. The configuration on the neighbor is correct, but the route is not in the neighbor's routing table.

Which two configurations should you check on the firewall? (Choose two.)

43. An engineer is pushing configuration from Panorama lo a managed firewall.

What happens when the pushed Panorama configuration has Address Object names that duplicate the Address Objects already configured on the firewall?

44. An administrator wants multiple web servers In the DMZ to receive connections initiated from the internet. Traffic destined for 206.15.22.9 port 80/TCP needs to be forwarded to the server at 10.1.1.22.

Based on the image, which NAT rule will forward web-browsing traffic correctly?

A)

B)

C)

D)

45. A network engineer has discovered that asymmetric routing is causing a Palo Alto Networks firewall to drop traffic. The network architecture cannot be changed to correct this.

Which two actions can be taken on the firewall to allow the dropped traffic permanently? (Choose two.)

46. A network-security engineer attempted to configure a bootstrap package on Microsoft Azure, but the virtual machine provisioning process failed. In reviewing the bootstrap package, the engineer only had the following directories: /config, /license and /software

Why did the bootstrap process fail for the VM-Series firewall in Azure?

47. When an in-band data port is set up to provide access to required services, what is required for an interface that is assigned to service routes?

48. A web server is hosted in the DMZ and the server is configured to listen for incoming connections on TCP port 443 A Security policies rules allowing access from the Trust zone to the DMZ zone needs to be configured to allow web-browsing access. The web server hosts its contents over HTTP(S). Traffic from Trust to DMZ is being decrypted with a Forward Proxy rule.

Which combination of service and application, and order of Security policy rules, needs to be configured to allow cJeartext web-browsing traffic to this server on tcp/443?

49. While analyzing the Traffic log, you see that some entries show "unknown-tcp" in the Application column.

What best explains these occurrences?

50. Using multiple templates in a stack to manage many firewalls provides which two advantages? (Choose two.)

51. A network security engineer wants to prevent resource-consumption issues on the firewall.

Which strategy is consistent with decryption best practices to ensure consistent performance?