Updated PCNSE Dumps V23.02: Ensuring Your Success in the Palo Alto Networks Certified Network Security Engineer Exam

1. The Aggregate Ethernet interface is showing down on a passive PA-7050 firewall of an active/passive HA pair. The HA Passive Link State is set to "Auto" under Device > High Availability > General > Active/Passive Settings. The AE interface is configured with LACP enabled and is up only on the active firewall.

Why is the AE interface showing down on the passive firewall?

2. An administrator is building Security rules within a device group to block traffic to and from malicious locations

How should those rules be configured to ensure that they are evaluated with a high priority?

3. An administrator can not see any Traffic logs from the Palo Alto Networks NGFW in Panorama reports. The configuration problem seems to be on the firewall.

Which settings, if configured incorrectly, most likely would stop only Traffic logs from being sent from the NGFW to Panorama?

A)

B)

C)

D)

4. Which benefit do policy rule UUlDs provide?

5. Which three items are import considerations during SD-WAN configuration planning? (Choose three.)

6. A customer wants to set up a VLAN interface for a Layer 2 Ethernet port.

Which two mandatory options are used to configure a VLAN interface? (Choose two.)

7. Which time determines how long the passive firewall will wait before taking over as the active firewall alter losing communications with the HA peer?

8. An engineer needs to collect User-ID mappings from the company's existing proxies.

What two methods can be used to pull this data from third party proxies? (Choose two.)

9. What are three reasons for excluding a site from SSL decryption? (Choose three.)

10. A security engineer received multiple reports of an IPSec VPN tunnel going down the night before. The engineer couldn't find any events related to VPN under system togs.

What is the likely cause?

11. In the screenshot above which two pieces of information can be determined from the ACC configuration shown? (Choose two)

12. An engineer receives reports from users that applications are not working and that websites are only partially loading in an asymmetric environment. After investigating, the engineer observes the flow_tcp_non_syn_drop counter increasing in the show counters global output.

Which troubleshooting command should the engineer use to work around this issue?

13. A user at an internal system queries the DNS server for their web server with a private IP of 10 250 241 131 in the. The DNS server returns an address of the web server's public address, 200.1.1.10.

In order to reach the web server, which security rule and U-Turn NAT rule must be configured on the firewall?

A)

B)

C)

D)

14. An administrator allocates bandwidth to a Prisma Access Remote Networks compute location with three remote networks.

What is the minimum amount of bandwidth the administrator could configure at the compute location?

15. How would an administrator configure a Bidirectional Forwarding Detection profile for BGP after enabling the Advance Routing Engine run on PAN-OS 10.2?

16. An engineer configures SSL decryption in order to have more visibility to the internal users' traffic when it is regressing the firewall.

Which three types of interfaces support SSL Forward Proxy? (Choose three.)

17. Cortex XDR notifies an administrator about grayware on the endpoints. There are no entries about grayware in any of the logs of the corresponding firewall.

Which setting can the administrator configure on the firewall to log grayware verdicts?

18. When an in-band data port is set up to provide access to required services, what is required for an interface that is assigned to service routes?

19. A network security administrator wants to configure SSL inbound inspection.

Which three components are necessary for inspecting the HTTPS traffic as it enters the firewall? (Choose three.)

20. During the process of developing a decryption strategy and evaluating which websites are required for corporate users to access, several sites have been identified that cannot be decrypted due to technical reasons. In this case, the technical reason is unsupported ciphers. Traffic to these sites will therefore be blocked if decrypted

How should the engineer proceed?

21. An administrator discovers that a file blocked by the WildFire inline ML feature on the firewall is a false-positive action.

How can the administrator create an exception for this particular file?

22. An administrator is configuring a Panorama device group

Which two objects are configurable? (Choose two)

23. Which two actions would be part of an automatic solution that would block sites with untrusted certificates without enabling SSL Forward Proxy? (Choose two.)

24. A company requires that a specific set of ciphers be used when remotely managing their Palo Alto Networks appliances.

Which profile should be configured in order to achieve this?

25. What is a correct statement regarding administrative authentication using external services with a local authorization method?

26. The following objects and policies are defined in a device group hierarchy

A. Address Objects

-Shared Address1

-Shared Address2

-Branch Address1

Policies

-Shared Policy1

-Branch Policy1

B. Address Objects

-Shared Address1

-Shared Address2

-Branch Address1

-DC Address1

Policies

-Shared Policy1

-Shared Policy2

-Branch Policy1

C.

Address Objects

-Shared Address 1

-Branch Address2

Policies -Shared Polic1

-Branch Policy 1

D)

Address Objects

-Shared Address 1

-Shared Address 2

-Branch Address 1

Policies

-Shared Policy 1

-Shared Policy 2

-Branch Policy 1

A. Option A

B. Option B

C. Option C

D. Option D

27. A network security administrator has an environment with multiple forms of authentication. There is a network access control system in place that authenticates and restricts access for wireless users, multiple Windows domain controllers, and an MDM solution for company-provided smartphones. All of these devices have their authentication events logged.

Given the information, what is the best choice for deploying User-ID to ensure maximum coverage?

28. A super user is tasked with creating administrator accounts for three contractors. For compliance purposes, all three contractors will be working with different device-groups m their hierarchy to deploy policies and objects.

Which type of role-based access is most appropriate for this project?

29. An administrator would like to determine which action the firewall will take for a specific CVE.

Given the screenshot below, where should the administrator navigate to view this information?

30. A firewall administrator has been tasked with ensuring that all Panorama-managed firewalls forward traffic logs to Panorama. In which section is this configured?

31. How can Panorama help with troubleshooting problems such as high CPU or resource exhaustion on a managed firewall?

32. What is considered the best practice with regards to zone protection?

33. An administrator needs to assign a specific DNS server to one firewall within a device group.

Where would the administrator go to edit a template variable at the device level?

34. An engineer discovers the management interface is not routable to the User-ID agent

What configuration is needed to allow the firewall to communicate to the User-ID agent?

35. An engineer is deploying multiple firewalls with common configuration in Panorama.

What are two benefits of using nested device groups? (Choose two.)

36. An engineer is configuring Packet Buffer Protection on ingress zones to protect from single-session DoS attacks Which sessions does Packet Buffer Protection apply to?

37. Which log type will help the engineer verify whether packet buffer protection was activated?

38. What steps should a user take to increase the NAT oversubscription rate from the default platform setting?

39. Which configuration is backed up using the Scheduled Config Export feature in Panorama?

40. Which two statements correctly describe Session 380280? (Choose two.)

41. When using SSH keys for CLI authentication for firewall administration, which method is used for authorization?

42. A network administrator wants to deploy SSL Forward Proxy decryption.

What two attributes should a forward trust certificate have? (Choose two.)

43. After importing a pre-configured firewall configuration to Panorama, what step is required to ensure a commit/push is successful without duplicating local configurations?

44. Four configuration choices are listed, and each could be used to block access to a specific URL

II you configured each choice to block the same URL, then which choice would be evaluated last in the processing order to block access to the URL1?

45. In SSL Forward Proxy decryption, which two certificates can be used for certificate signing? (Choose two.)

46. Given the screenshot, how did the firewall handle the traffic?

47. the firewall's device group as post-rules

How will the rule order populate once pushed to the firewall?

48. Which three use cases are valid reasons for requiring an Active/Active high availability deployment? (Choose three.)

49. An existing NGFW customer requires direct interne! access offload locally at each site and iPSec connectivity to all branches over public internet. One requirement is mat no new SD-WAN hardware be introduced to the environment.

What is the best solution for the customer?

50. A firewall has been assigned to a new template stack that contains both "Global" and "Local" templates in Panorama, and a successful commit and push has been performed. While validating the configuration on the local firewall, the engineer discovers that some settings are not being applied as intended.

The setting values from the "Global" template are applied to the firewall instead of the "Local" template that has different values for the same settings.

What should be done to ensure that the settings in the "Local" template are applied while maintaining settings from both templates?

51. Which log type would provide information about traffic blocked by a Zone Protection profile?

52. What is the dependency for users to access services that require authentication?

53. An administrator is using Panorama to manage me and suspects an IKE Crypto mismatch between peers, from the firewalls to Panorama. However, pre-existing logs from the firewalls are not appearing in Panorama.

Which action should be taken to enable the firewalls to send their pre-existing logs to Panorama?

54. During a laptop-replacement project, remote users must be able to establish a GlobalProtect VPN connection to the corporate network before logging in to their new Windows 10 endpoints.

The new laptops have the 5.2.10 GlobalProtect Agent installed, so the administrator chooses to use the Connect Before Logon feature to solve this issue.

What must be configured to enable the Connect Before Logon feature?

55. A network security engineer has applied a File Blocking profile to a rule with the action of Block. The user of a Linux CLI operating system has opened a ticket. The ticket states that the user is being blocked by the firewall when trying to download a TAR file. The user is getting no error response on the system.

Where is the best place to validate if the firewall is blocking the user's TAR file?

56. Which GlobalProtect gateway selling is required to enable split-tunneling by access route, destination domain, and application?

57. An administrator has 750 firewalls. The administrator's central-management Panorama instance deploys dynamic updates to the firewalls. The administrator notices that the dynamic updates from Panorama do not appear on some of the firewalls.

If Panorama pushes the configuration of a dynamic update schedule to managed firewalls, but the configuration does not appear, what is the root cause?

58. An administrator Just enabled HA Heartbeat Backup on two devices However, the status on tie firewall's dashboard is showing as down High Availability.

What could an administrator do to troubleshoot the issue?

59. Which three actions can Panorama perform when deploying PAN-OS images to its managed devices? (Choose three.)

60. A company with already deployed Palo Alto firewalls has purchased their first Panorama server. The security team has already configured all firewalls with the Panorama IP address and added all the firewall serial numbers in Panorama.

What are the next steps to migrate configuration from the firewalls to Panorama?

61. What are two best practices for incorporating new and modified App-IDs? (Choose two.)

62. An engineer needs to permit XML API access to a firewall for automation on a network segment that is routed through a Layer 3 subinterface on a Palo Alto Networks firewall. However, this network segment cannot access the dedicated management interface due to the Security policy.

Without changing the existing access to the management interface, how can the engineer fulfill this request?

63. Which profile generates a packet threat type found in threat logs?

64. An organization conducts research on the benefits of leveraging the Web Proxy feature of PAN-OS 11.0.

What are two benefits of using an explicit proxy method versus a transparent proxy method? (Choose two.)

65. DRAG DROP

An engineer is troubleshooting traffic routing through the virtual router. The firewall uses multiple routing protocols, and the engineer is trying to determine routing priority Match the default Administrative Distances for each routing protocol.

66. A network administrator is trying to prevent domain username and password submissions to phishing sites on some allowed URL categories

Which set of steps does the administrator need to take in the URL Filtering profile to prevent credential phishing on the firewall?

67. A firewall should be advertising the static route 10.2.0.0/24 Into OSPF. The configuration on the neighbor is correct, but the route is not in the neighbor's routing table.

Which two configurations should you check on the firewall? (Choose two.)

68. An engineer needs to redistribute User-ID mappings from multiple data centers.

Which data flow best describes redistribution of user mappings?

69. What can be used to create dynamic address groups?

70. An engineer wants to implement the Palo Alto Networks firewall in VWire mode on the internet gateway and wants to be sure of the functions that are supported on the vwire interface

What are three supported functions on the VWire interface? (Choose three)

71. In an existing deployment, an administrator with numerous firewalls and Panorama does not see any WildFire logs in Panorama. Each firewall has an active WildFire subscription On each firewall. WildFire togs are available.

This issue is occurring because forwarding of which type of logs from the firewalls to Panorama is missing?

72. An administrator wants to grant read-only access to all firewall settings, except administrator accounts, to a new-hire colleague in the IT department.

Which dynamic role does the administrator assign to the new-hire colleague?

73. WildFire will submit for analysis blocked files that match which profile settings?

74. What is a key step in implementing WildFire best practices?

75. While analyzing the Traffic log, you see that some entries show "unknown-tcp" in the Application column What best explains these occurrences?

76. A bootstrap USB flash drive has been prepared using a Windows workstation to load the initial configuration of a Palo Alto Networks firewall that was previously being used in a lab. The USB flash drive was formatted using file system FAT32 and the initial configuration is stored in a file named init-cfg txt. The firewall is currently running PAN-OS 10.0 and using a lab config.

The contents of init-cfg txi in the USB flash drive are as follows:

The USB flash drive has been inserted in the firewalls' USB port, and the firewall has been restarted using command:> request resort system Upon restart, the firewall fails to begin the bootstrapping process. The failure is caused because

77. An engineer needs to configure SSL Forward Proxy to decrypt traffic on a PA-5260. The engineer uses a forward trust certificate from the enterprise PKI that expires December 31, 2025.

The validity date on the PA-generated certificate is taken from what?

78. A company is deploying User-ID in their network. The firewall learn needs to have the ability to see and choose from a list of usernames and user groups directly inside the Panorama policies when creating new security rules

How can this be achieved?

79. An administrator is attempting to create policies for deployment of a device group and template stack. When creating the policies, the zone drop-down list does not include the required zone.

What can the administrator do to correct this issue?

80. When you navigate to Network: > GlobalProtect > Portals > Method section, which three options are available? (Choose three)

81. Refer to the exhibit.

Using the above screenshot of the ACC, what is the best method to set a global filter, narrow down Blocked User Activity, and locate the user(s) that could be compromised by a botnet?

82. The same route appears in the routing table three times using three different protocols

Which mechanism determines how the firewall chooses which route to use?

83. An engineer is configuring SSL Inbound Inspection for public access to a company's application.

Which certificate(s) need to be installed on the firewall to ensure that inspection is performed successfully?

84. An administrator creates an application-based security policy rule and commits the change to the firewall.

Which two methods should be used to identify the dependent applications for the respective rule? (Choose two.)

85. DRAG DROP

Match each GlobalProtect component to the purpose of that component

86. A network security administrator wants to begin inspecting bulk user HTTPS traffic flows egressing out of the internet edge firewall.

Which certificate is the best choice to configure as an SSL Forward Trust certificate?

87. What best describes the HA Promotion Hold Time?

88. An administrator has two pairs of firewalls within the same subnet. Both pairs of firewalls have been configured to use High Availability mode with Active/Passive. The ARP tables for upstream routes display the same MAC address being shared for some of these firewalls.

What can be configured on one pair of firewalls to modify the MAC addresses so they are no longer in conflict?

89. An engineer is planning an SSL decryption implementation

Which of the following statements is a best practice for SSL decryption?

90. A firewall administrator notices that many Host Sweep scan attacks are being allowed through the firewall sourced from the outside zone.

What should the firewall administrator do to mitigate this type of attack?