PCNSE1

Question #552 Which type of policy in Palo Alto Networks firewalls can use Device-ID as a match condition?. Tunnel inspection. NAT. QoS. DOS protection.

Question #108 An administrator has configured a QoS policy rule and a QoS Profile that limits the maximum allowable bandwidth for the YouTube application. However, YouTube is consuming more than the maximum bandwidth allotment configured. Which configuration step needs to be configured to enable QoS?. Enable QoS interface. Enable QoS in the Interface Management Profile. Enable QoS Data Filtering Profile. Enable QoS monitor.

Question #459 An administrator is receiving complaints about application performance degradation. After checking the ACC, the administrator observes that there is an excessive amount of SSL traffic. Which three elements should the administrator configure to address this issue? (Choose three.). QoS on the egress interface for the traffic flows. QoS on the ingress interface for the traffic flows. A QoS profile defining traffic classes. A QoS policy for each application ID. An Application Override policy for the SSL traffic.

Question #43 An administrator creates a custom application containing Layer 7 signatures. The latest application and threat dynamic update is downloaded to the same NGFW. The update contains an application that matches the same traffic signatures as the custom application. Which application should be used to identify traffic traversing the NGFW?. Custom application. System logs show an application error and neither signature is used. Downloaded application. Custom and downloaded application signature files are merged and both are used.

Question #250 In URL filtering, which component matches URL patterns?. live URL feeds on the management plane. security processing on the data plane. single-pass pattern matching on the data plane. signature matching on the data plane.

Question #329 WildFire will submit for analysis blocked files that match which profile settings?. files matching Anti-Spyware signatures. files matching Anti-Virus signatures. files that are blocked by a File Blocking profile. files that are blocked by URL filtering.

Question #476 A Security policy rule is configured with a Vulnerability Protection Profile and an action of “Deny”. Which action will this configuration cause on the matched traffic?. A. It will cause the firewall to deny the matched sessions. Any configured Security Profiles have no effect if the Security policy rule action is set to “Deny”. The configuration will allow the matched session unless a vulnerability signature is detected. The “Deny” action will supersede the perseverity defined actions defined in the associated Vulnerability Protection Profile. It will cause the firewall to skip this Security policy rule. A warning will be displayed during a commit. The Profile Settings section will be grayed out when the Action is set to “Deny”.

Question #604 A firewall engineer has determined that, in an application developed by the company’s internal team, sessions often remain idle for hours before the client and server exchange any data. The application is also currently identified as unknown-tcp by the firewalls. It is determined that because of a high level of trust, the application does not require to be scanned for threats, but it needs to be properly identified in Traffic logs for reporting purposes. Which solution will take the least time to implement and will ensure the App-ID engine is used to identify the application?. Create a custom application with specific timeouts and signatures based on patterns discovered in packet captures. Access the Palo Alto Networks website and complete the online form to request that a new application be added to App-ID. Create a custom application with specific timeouts, then create an application override rule and reference the custom application. Access the Palo Alto Networks website and raise a support request through the Customer Support Portal.

Question 37 Which three functions are performed by the dataplane? (Choose three.). WildFire updates. NAT. NTP. antivirus. file blocking.

Question #99 Which two subscriptions are available when configuring Panorama to push dynamic updates to connected devices? (Choose two.). Content-ID. User-ID. Applications and Threats. Antivirus.

Question #137 A firewall administrator has been asked to configure a Palo Alto Networks NGFW to prevent against compromised hosts trying to phone-home or beacon out to external command-and-control (C2) servers. Which Security Profile type will prevent these behaviors?. Anti-Spyware. WildFire. Vulnerability Protection. Antivirus.

Question #395 A client is concerned about web shell attacks against their servers. Which profile will protect the individual servers?. Anti-Spyware profile. Zone Protection profile. DoS Protection profile. Antivirus profile.

Question #187 When setting up a security profile, which three items can you use? (Choose three.). Wildfire analysis. anti-ransomware. antivirus. URL filtering. decryption profile.

Question #382 Question 383# A firewall administrator is investigating high packet buffer utilization in the company firewall. After looking at the threat logs and seeing many flood attacks coming from a single source that are dropped by the firewall, the administrator decides to enable packet buffer protection to protect against similar attacks. The administrator enables packet buffer protection globally in the firewall but still sees a high packet buffer utilization rate. What else should the administrator do to stop packet buffers from being overflowed?. Apply DOS profile to security rules allow traffic from outside. Enable packet buffer protection for the affected zones. Add the default Vulnerability Protection profile to all security rules that allow traffic from outside. Add a Zone Protection profile to the affected zones.

Question #390 A firewall administrator needs to be able to inspect inbound HTTPS traffic on servers hosted in their DMZ to prevent the hosted service from being exploited. Which combination of features can allow PAN-OS to detect exploit traffic in a session with TLS encapsulation?. a WildFire profile and a File Blocking profile. a Vulnerability Protection profile and a Decryption policy. a Vulnerability Protection profile and a QoS policy. a Decryption policy and a Data Filtering profile.

Question #398 An administrator wants to prevent users from unintentionally accessing malicious domains where data can be exfiltrated through established connections to remote systems. From the Pre-defined Categories tab within the URL Filtering profile what is the right configuration to prevent such connections?. Set the malware category to block. Set the Command and Control category to block. Set the phishing category to override. Set the hacking category to continue.

Question #449 A company has configured a URL Filtering profile with override action on their firewall. Which two profiles are needed to complete the configuration? (Choose two.). Decryption. HTTP Server. SSL/TLS Service. Interface Management.

Question #471 An administrator is configuring a Panorama device group. Which two objects are configurable? (Choose two.). URL Filtering profiles. SSL/TLS profiles. Address groups. DNS Proxy.

Question #255 What is a key step in implementing WildFire best practices?. Configure the firewall to retrieve content updates every minute. Ensure that a Threat Prevention subscription is active. In a mission-critical network, increase the WildFire size limits to the maximum value. In a security-first network, set the WildFire size limits to the minimum value.

Question #332 An administrator wants to enable WildFire inline machine learning. Which three file types does WildFire inline ML analyze? (Choose three.). APK. VBscripts. Powershell scripts. ELF. MS Office.

Question #593 A firewall engineer needs to patch the company’s Palo Alto Networks firewalls to the latest version of PAN-OS. The company manages its firewalls by using Panorama. Logs are forwarded to Dedicated Log Collectors, and file samples are forwarded to WildFire appliances for analysis. What must the engineer consider when planning deployment?. Only Panorama and Dedicated Log Collectors must be patched to the target PAN-OS version before updating the firewalls. Panorama, Dedicated Log Collectors, and WildFire appliances must have the target PAN-OS version downloaded, after which the order of patching does not matter. Panorama, Dedicated Log Collectors, and WildFire appliances must be patched to the target PAN-OS version before updating the firewalls. Only Panorama must be patched to the target PAN-OS version before updating the firewalls.

Question #147 An administrator is defining protection settings on the Palo Alto Networks NGFW to guard against resource exhaustion. When platform utilization is considered, which steps must the administrator take to configure and apply packet buffer protection?. Enable and configure the Packet Buffer Protection thresholds. Enable Packet Buffer Protection per ingress zone. Enable and then configure Packet Buffer thresholds. Enable Interface Buffer protection. Create and Apply Zone Protection Profiles in all ingress zones. Enable Packet Buffer Protection per ingress zone. Configure and apply Zone Protection Profiles for all egress zones. Enable Packet Buffer Protection per egress zone. Enable per-vsys Session Threshold alerts and triggers for Packet Buffer Limits. Enable Zone Buffer Protection per zone.

Question #98 Which DoS protection mechanism detects and prevents session exhaustion attacks?. Packet Based Attack Protection. Flood Protection. Resource Protection. TCP Port Scan Protection.

Question #252 An organization's administrator has the funds available to purchase more firewalls to increase the organization's security posture. The partner SE recommends placing the firewalls as close as possible to the resources that they protect. Is the SE's advice correct, and why or why not?. No. Firewalls provide new defense and resilience to prevent attackers at every stage of the cyberattack lifecycle, independent of placement. Yes. Firewalls are session-based, so they do not scale to millions of CPS. No. Placing firewalls in front of perimeter DDoS devices provides greater protection for sensitive devices inside the network. Yes. Zone Protection profiles can be tailored to the resources that they protect via the configuration of specific device types and operating systems.

Question #268 Which component enables you to configure firewall resource protection settings?. DoS Protection Profile. QoS Profile. Zone Protection Profile. DoS Protection policy.

Question #286 What is considered the best practice with regards to zone protection?. Use separate log-forwarding profiles to forward DoS and zone threshold event logs separately from other threat logs. Review DoS threat activity (ACC > Block Activity) and look for patterns of abuse. Set the Alarm Rate threshold for event-log messages to high severity or critical severity. If the levels of zone and DoS protection consume too many firewall resources, disable zone protection.

Question #338 A firewall administrator notices that many Host Sweep scan attacks are being allowed through the firewall sourced from the outside zone. What should the firewall administrator do to mitigate this type of attack?. A. Create a Zone Protection profile, enable reconnaissance protection, set action to Block, and apply it to the outside zone. B. Create a DOS Protection profile with SYN Flood protection enabled and apply it to all rules allowing traffic from the outside zone. C. Enable packet buffer protection in the outside zone. D. Create a Security rule to deny all ICMP traffic from the outside zone.

Question #232 An administrator wants to enable zone protection. Before doing so, what must the administrator consider?. A. Activate a zone protection subscription. B. Security policy rules do not prevent lateral movement of traffic between zones. C. The zone protection profile will apply to all interfaces within that zone. D. To increase bandwidth, no more than one firewall interface should be connected to a zone.

Question #497 An engineer troubleshoots an issue that causes packet drops. Which command should the engineer run in the CLI to see if packet buffer protection is enabled and activated?. A. show session id. B. show system state | match packet-buffer-protection. C. show session packet-buffer- protection. D. show running resource-monitor.

Question #225 When an in-band data port is set up to provide access to required services, what is required for an interface that is assigned to service routes?. A. You must set the interface to Layer 2, Layer 3, or virtual wire. B. The interface must be used for traffic to the required services. C. You must use a static IP address. D. You must enable DoS and zone protection.

Question #563 An administrator configures two VPN tunnels to provide for failover and uninterrupted VPN service. What should an administrator configure to enable automatic failover to the backup tunnel?. A. Replay Protection. B. Zone Protection. C. Tunnel Monitor. D. Passive Mode.

Question 582 All firewalls at a company are currently forwarding logs to Palo Alto Networks log collectors. The company also wants to deploy a syslog server and forward all firewall logs to the syslog server and to the log collectors. There is a known logging peak time during the day and the security team has asked the firewall engineer to determine how many logs per second the current Palo Alto Networks log collectors are processing at that particular time. Which method is the most time-efficient to complete this task?. A. Navigate to Panorama > Managed Collectors, and open the Statistics window for each Log Collector during the peak time. B. Navigate to ACC > Network Activity, and determine the total number of sessions and threats during the peak time. C. Navigate to Monitor > Unified logs, set the filter to the peak time, and browse to the last page to find out how many logs have been received. D. Navigate to Panorama > Managed Devices > Health, open the Logging tab for each managed firewall and check the log rates during the peak time.

Question 270 A Panorama administrator configures a new zone and uses the zone in a new Security policy. After the administrator commits the configuration to Panorama, which device-group commit push operation should the administrator use to ensure that the push is successful?. A. merge with candidate config. B. include device and network templates. C. specify the template as a reference template. D. force template values.

Question 536 An administrator notices that an interface configuration has been overridden locally on a firewall. They require all configuration to be managed from Panorama and overrides are not allowed. What is one way the administrator can meet this requirement?. A. Reload the running configuration and perform a Firewall local commit. B. Perform a commit force from the CLI of the firewall. C. Perform a template commit push from Panorama using the “Force Template Values” option. D. Perform a device-group commit push from Panorama using the “Include Device and Network Templates” option.

Question 97 Which CLI command enables an administrator to check the CPU utilization of the dataplane?. A. show running resource-monitor. B. debug data-plane dp-cpu. C. show system resources. D. debug running resources.

Question 10# If a template stack is assigned to a device and the stack includes three templates with overlapping settings, which settings are published to the device when the template stack is pushed?. A. The settings assigned to the template that is on top of the stack. B. The administrator will be promoted to choose the settings for that chosen firewall. C. All the settings configured in all templates. D. Depending on the firewall location, Panorama decides with settings to send.

Question 21# What are two benefits of nested device groups in Panorama? (Choose two.). A. Reuse of the existing Security policy rules and objects. B. Requires configuring both function and location for every device. C. All device groups inherit settings from the Shared group. D. Overwrites local firewall configuration.

Question 34# Which three settings are defined within the Templates object of Panorama? (Choose three.). A. Setup. B. Virtual Routers. C. Interfaces. D. Security. E. Application Override.

Question 128# Which Panorama administrator types require the configuration of at least one access domain? (Choose two.). A. Role Based. B. Custom Panorama Admin. C. Device Group. D. Dynamic. E. Template Admin.

Question 144# How does Panorama prompt VMWare NSX to quarantine an infected VM?. A. HTTP Server Profile. B. Syslog Server Profile. C. Email Server Profile. D. SNMP Server Profile.

Question 178# Which Panorama objects restrict administrative access to specific device-groups?. A. admin roles. B. authentication profiles. C. templates. D. access domains.

Question 186# When overriding a template configuration locally on a firewall, what should you consider?. A. Panorama will update the template with the overridden value. B. The firewall template will show that it is out of sync within Panorama. C. Only Panorama can revert the override. D. Panorama will lose visibility into the overridden configuration.

Question 208# An administrator plans to deploy 15 firewalls to act as GlobalProtect gateways around the world. Panorama will manage the firewalls. The firewalls will provide access to mobile users and act as edge locations to on-premises infrastructure. The administrator wants to scale the configuration out quickly and wants all of the firewalls to use the same template configuration. Which two solutions can the administrator use to scale this configuration? (Choose two.). A. virtual systems. B. template stacks. C. variables. D. collector groups.

Question 230# An administrator has 750 firewalls. The administrator's central-management Panorama instance deploys dynamic updates to the firewalls. The administrator notices that the dynamic updates from Panorama do not appear on some of the firewalls. If Panorama pushes the configuration of a dynamic update schedule to managed firewalls, but the configuration does not appear, what is the root cause?. A. Panorama does not have valid licenses to push the dynamic updates. B. Panorama has no connection to Palo Alto Networks update servers. C. Locally-defined dynamic update settings take precedence over the settings that Panorama pushed. D. No service route is configured on the firewalls to Palo Alto Networks update servers.

Question 236# An enterprise has a large Palo Alto Networks footprint that includes onsite firewalls and Prisma Access for mobile users, which is managed by Panorama. The enterprise already uses GlobalProtect with SAML authentication to obtain IP-to-user mapping information. However, Information Security wants to use this information in Prisma Access for policy enforcement based on group mapping. Information Security uses on- premises Active Directory (AD) but is uncertain about what is needed for Prisma Access to learn groups from AD. How can policies based on group mapping be learned and enforced in Prisma Access?. A. Configure Prisma Access to learn group mapping via SAML assertion. B. Set up group mapping redistribution between an onsite Palo Alto Networks firewall and Prisma Access. C. Assign a master device in Panorama through which Prisma Access learns groups. D. Create a group mapping configuration that references an LDAP profile that points to on-premises domain controllers.

Question 379# A company is deploying User-ID in their network. The firewall team needs to have the ability to see and choose from a list of usernames and user groups directly inside the Panorama policies when creating new security rules. How can this be achieved?. A. by configuring User-ID group mapping in Panorama > User Identification. B. by configuring Master Device in Panorama > Device Groups. C. by configuring User-ID source device in Panorama > Managed Devices. D. by configuring Data Redistribution Client in Panorama > Data Redistribution.

Question 240# A company wants to use their Active Directory groups to simplify their Security policy creation from Panorama. Which configuration is necessary to retrieve groups from Panorama?. A. Configure an LDAP Server profile and enable the User-ID service on the management interface. B. Configure a group mapping profile to retrieve the groups in the target template. C. Configure a Data Redistribution Agent to receive IP User Mappings from User-ID agents. D. Configure a master device within the device groups.

Question 324 An administrator needs to build Security rules in a Device Group that allow traffic to specific users and groups defined in Active Directory. What must be configured in order to select users and groups for those rules from Panorama?. A. The Security rules must be targeted to a firewall in the device group and have Group Mapping configured. B. User-ID Redistribution must be configured on Panorama to ensure that all firewalls have the same mappings. C. A master device with Group Mapping configured must be set in the device group where the Security rules are configured. D. A User-ID Certificate profile must be configured on Panorama.

Question 541 An engineer creates a set of rules in a Device Group (Panorama) to permit traffic to various services for a specific LDAP user group. What needs to be configured to ensure Panorama can retrieve user and group information for use in these rules?. A. A service route to the LDAP server. B. A User-ID agent on the LDAP server. C. A Master Device. D. Authentication Portal.

Question 260# An administrator's device-group commit push is failing due to a new URL category. How should the administrator correct this issue?. update the Firewall Apps and Threat version to match the version of Panorama. change the new category action to "alert" and push the configuration again. ensure that the firewall can communicate with the URL cloud. verity that the URL seed tile has been downloaded and activated on the firewall.

Question 269# How can an administrator use the Panorama device-deployment option to update the apps and threat version of an HA pair of managed firewalls?. Choose the download and install action for both members of the HA pair in the Schedule object. Switch context to the firewalls to start the download and install process. Download the apps to the primary no further action is required. Configure the firewall's assigned template to download the content updates.

Question 289# An administrator is using Panorama to manage multiple firewalls. After upgrading all devices to the latest PAN-OS software, the administrator enables log forwarding from the firewalls to Panorama. However, pre-existing logs from the firewalls are not appearing in Panorama. Which action should be taken to enable the firewalls to send their pre-existing logs to Panorama?. Use the import option to pull logs. Use the scp logdb export command. Export the log database. Use the ACC to consolidate the logs.

Question 303# A standalone firewall with local objects and policies needs to be migrated into Panorama. What procedure should you use so Panorama is fully managing the firewall?. Use the "import device configuration to Panorama" operation, then "export or push device config bundle" to push the configuration. Use the "import Panorama configuration snapshot" operation, then perform a device-group commit push with "include device and network templates". Use the "import Panorama configuration snapshot" operation, then "export or push device config bundle" to push the configuration. Use the "import device configuration to Panorama" operation, then perform a device-group commit push with "include device and network templates".

Question 305# An administrator has configured PAN-OS SD-WAN and has received a request to find out the reason for a session failover for a session that has already ended. Where would you find this in Panorama or firewall logs?. System Logs. Session Browser. You cannot find failover details on closed sessions. Traffic Logs.

Question 317# Which feature of Panorama allows an administrator to create a single network configuration that can be reused repeatedly for large-scale deployments even if values of configured objects, such as routes and interface addresses, change?. template variables. the 'Shared' device group. template stacks. a device group.

Question 354# A firewall administrator has been tasked with ensuring that all Panorama configuration is committed and pushed to the devices at the end of the day at a certain time. How can they achieve this?. Use the Scheduled Config Export to schedule Commit to Panorama and also Push to Devices. Use the Scheduled Config Push to schedule Commit to Panorama and also Push to Devices. Use the Scheduled Config Push to schedule Push to Devices and separately schedule an API call to commit all Panorama changes. Use the Scheduled Config Export to schedule Push to Devices and separately schedule an API call to commit all Panorama changes.

Question 358 A firewall administrator has been tasked with ensuring that all Panorama-managed firewalls forward traffic logs to Panorama. In which section is this configured?. Templates > Device > Log Settings. Device Groups > Objects > Log Forwarding. Monitor > Logs > Traffic. Panorama > Managed Devices.

Question 481 A firewall administrator has been tasked with ensuring that all firewalls forward System logs to Panorama. In which section is this configured?. Monitor > Logs > System. Objects > Log Forwarding. Device > Log Settings. Panorama > Managed Devices.

Question 360 Which Panorama feature protects logs against data loss if a Panorama server fails?. Panorama Collector Group with Log Redundancy ensures that no logs are lost if a server fails inside the Collector Group. Panorama Collector Group automatically ensures that no logs are lost if a server fails inside the Collector Group. Panorama HA with Log Redundancy ensures that no logs are lost if a server fails inside the HA Cluster. Panorama HA automatically ensures that no logs are lost if a server fails inside the HA Cluster.

Question 363# Which Panorama mode should be used so that all logs are sent to, and only stored in, Cortex Data Lake?. Legacy. Management Only. Log Collector. Panorama.

Question 399# In order to fulfill the corporate requirement to back up the configuration of Panorama and the Panorama-managed firewalls securely which protocol should you select when adding a new scheduled config export?. HTTPS. FTP. SMB v3. SCP.

Question 417# A company with already deployed Palo Alto firewalls has purchased their first Panorama server. The security team has already configured all firewalls with the Panorama IP address and added all the firewall serial numbers in Panorama. What are the next steps to migrate configuration from the firewalls to Panorama?. Export Named Configuration Snapshot on each firewall, followed by Impart Named Configuration Snapshot in Panorama. Use the Firewall Migration plugin to retrieve the configuration directly from the managed devices. Import Device Configuration to Panorama, followed by Export or Push Device Config Bundle. Use API calls to retrieve the configuration directly from the managed devices.

Question 410# Which three options does Panorama offer for deploying dynamic updates to its managed devices? (Choose three.). Check dependencies. Schedules. Verify. Revert content. Install.

Question 518# An engineer is deploying multiple firewalls with common configuration in Panorama. What are two benefits of using nested device groups? (Choose two.). Inherit all Security policy rules and objects. Inherit settings from the Shared group. Inherit IPSec crypto profiles. Inherit parent Security policy rules and objects.

Question 521# After importing a pre-configured firewall configuration to Panorama, what step is required to ensure a commit/push is successful without duplicating local configurations?. Ensure Force Template Values is checked when pushing configuration. Push the Template first, then push Device Group to the newly managed firewall. Push the Device Group first, then push Template to the newly managed firewall. Perform the Export or push Device Config Bundle to the newly managed firewall.

Question 548# What are three tasks that cannot be configured from Panorama by using a template stack? (Choose three.). Rename a vsys on a multi-vsys firewall. Change the firewall management IP address. Enable operational modes such as normal mode, multi-vsys mode, or FIPS-CC mode. Add administrator accounts. Configure a device block list.

Question 567# An engineer needs to configure a standardized template for all Panorama-managed firewalls. These settings will be configured on a template named "Global" and will be included in all template stacks. Which three settings can be configured in this template? (Choose three.). Log Forwarding profile. SSL decryption exclusion. Email scheduler. Login banner. Dynamic updates.

Question 570# An engineer troubleshoots a Panorama-managed firewall that is unable to reach the DNS servers configured via a global template. As a troubleshooting step, the engineer needs to configure a local DNS server in place of the template value. Which two actions can be taken to ensure that only the specific firewall is affected during this process? (Choose two.). Override the DNS server on the template stack. Configure the DNS server locally on the firewall. Change the DNS server on the global template. Configure a service route for DNS on a different interface.

Question 590# Which conditions must be met when provisioning a high availability (HA) cluster? (Choose two.). HA cluster members must be the same firewall model and run the same PAN-OS version. HA cluster members must share the same zone names. Panorama must be used to manage HA cluster members. Dedicated HA communication interfaces for the cluster must be used over HSCI interfaces.

Question 162# Panorama provides which two SD-WAN functions? (Choose two.). network monitoring. control plane. data plane. physical network links.

Question 283# An administrator is attempting to create policies for deployment of a device group and template stack. When creating the policies, the zone dropdown list does not include the required zone. What must the administrator do to correct this issue?. Add a firewall to both the device group and the template. Add the template as a reference template in the device group. Enable "Share Unused Address and Service Objects with Devices" in Panorama settings. Specify the target device as the master device in the device group.

Question 308# An administrator needs to evaluate a recent policy change that was committed and pushed to a firewall device group. How should the administrator identify the configuration changes?. review the configuration logs on the Monitor tab. use Test Policy Match to review the policies in Panorama. context-switch to the affected firewall and use the configuration audit tool. click Preview Changes under Push Scope.

Question 510# A superuser is tasked with creating administrator accounts for three contractors. For compliance purposes, all three contractors will be working with different device-groups in their hierarchy to deploy policies and objects. Which type of role-based access is most appropriate for this project?. Create a Dynamic Admin with the Panorama Administrator role. Create a Dynamic Read only superuser. Create a Device Group and Template Admin. Create a Custom Panorama Admin.

Question #449 Topic 1 A company has configured a URL Filtering profile with override action on their firewall. Which two profiles are needed to complete the configuration? (Choose two.). Decryption. HTTP Server. SSL/TLS Service. Interface Management.