PCNSE2

Question 183# A firewall is configured with SSL Forward Proxy decryption and has the following four enterprise certificate authorities (CAs): i. Enterprise-TrustedCA, which is verified as Forward Trust Certificate (The CA is also installed in the trusted store of the end-user browser and system.) ii. EnterpriseUntrusted-CA, which is verified as Forward Untrust Certificate iii. Enterprise-Intermediate-CA iv. Enterprise-Root-CA, which is verified only as Trusted Root CA An end-user visits https://www.example-website.com/ with a server certificate Common Name (CN): www.example-website.com. The firewall does the SSL Forward Proxy decryption for the website and the server certificate is not trusted by the firewall. The end-user's browser will show that the certificate for www. example-website.com was issued by which of the following?. Enterprise-Trusted-CA which is a self-signed CA. Enterprise-Root-CA which is a self-signed CA. Enterprise-Intermediate-CA which was, in turn, issued by Enterprise-Root-CA. Enterprise-Untrusted-CA which is a self-signed CA.

Question 191# An engineer must configure a new SSL decryption deployment. Which profile or certificate is required before any traffic that matches an SSL decryption rule is decrypted?. A Decryption profile must be attached to the Decryption policy that the traffic matches. There must be a certificate with both the Forward Trust option and Forward Untrust option selected. A Decryption profile must be attached to the Security policy that the traffic matches. There must be a certificate with only the Forward Trust option selected.

Question 207# In SSL Forward Proxy decryption, which two certificates can be used for certificate signing? (Choose two.). self-signed CA certificate. server certificate. wildcard server certificate. client certificate. enterprise CA certificate.

Question 217# A network administrator wants to use a certificate for the SSL/TLS Service Profil Which type of certificate should the administrator use?. machine certificate. server certificate. certificate authority (CA) certificate. client certificate.

Question 248# While troubleshooting an SSL Forward Proxy decryption issue, which PAN-OS CLI command would you use to check the details of the end entity certificate that is signed by the Forward Trust Certificate or Forward Untrust Certificate?. show system setting ssl-decrypt certs. show system setting ssl-decrypt certificate. debug dataplane show ssl-decrypt ssl-stats. show system setting ssl-decrypt certificate-cache.

Question 261# A security engineer needs firewall management access on a trusted interface. Which three settings are required on an SSL/TLS Service Profile to provide secure Web Ul authentication? (Choose three.). Authentication Algorithm. Encryption Algorithm. Certificate. Maximum TLS version. Minimum TLS version.

Question 428# An engineer needs to configure SSL Forward Proxy to decrypt traffic on a PA-5260. The engineer uses a forward trust certificate from the enterprise PKI that expires December 31, 2025. The validity date on the PA-generated certificate is taken from what?. The root CA. The untrusted certificate. The server certificate. The trusted certificate.

Question 323# An organization wishes to roll out decryption but gets some resistance from engineering leadership regarding the guest network. What is a common obstacle for decrypting traffic from guest devices?. Guest devices may not trust the CA certificate used for the forward trust certificate. Guests may use operating systems that can't be decrypted. The organization has no legal authority to decrypt their traffic. Guest devices may not trust the CA certificate used for the forward untrust certificate.

Question 340# A company requires that a specific set of ciphers be used when remotely managing their Palo Alto Networks appliances. Which profile should be configured in order to achieve this?. Certificate profile. SSL/TLS Service profile. SSH Service profile. Decryption profile.

Question 393# During the implementation of SSL Forward Proxy decryption, an administrator imports the company’s Enterprise Root CA and Intermediate CA certificates onto the firewall. The company’s Root and Intermediate CA certificates are also distributed to trusted devices using Group Policy and GlobalProtect. Additional device certificates and/or Subordinate certificates requiring an Enterprise CA chain of trust are signed by the company’s Intermediate C Which method should the administrator use when creating Forward Trust and Forward Untrust certificates on the firewall for use with decryption?. Generate two subordinate CA certificates, one for Forward Trust and one for Forward Untrust. Generate a CA certificate for Forward Trust and a self-signed CA for Forward Untrust. Generate a single subordinate CA certificate for both Forward Trust and Forward Untrust. Generate a single self-signed CA certificate for Forward Trust and another for Forward Untrust.

Question 440# Review the screenshot of the Certificates page. An administrator for a small LLC has created a series of certificates as shown, to use for a planned Decryption roll out. The administrator has also installed the self-signed root certificate in all client systems. When testing, they noticed that every time a user visited an SSL site, they received unsecured website warnings. What is the cause of the unsecured website warnings?. The forward trust certificate has not been signed by the self-singed root CA certificate. The forward trust certificate has not been installed in client systems. The forward untrust certificate has not been signed by the self-singed root CA certificate. The self-signed CA certificate has the same CN as the forward trust and untrust certificates.

Question 445# An administrator wants to enable Palo Alto Networks cloud services for Device Telemetry and IoT. Which type of certificate must be installed?. External CA certificate. Server certificate. Device certificate. Self-signed root CA certificate.

Question 447# An engineer is configuring SSL Inbound Inspection for public access to a company’s application. Which certificate(s) need to be installed on the firewall to ensure that inspection is performed successfully?. Intermediate CA(s) and End-entity certificate. Root CA and Intermediate CA(s). Self-signed certificate with exportable private key. Self-signed CA and End-entity certificate.

Question 448# A network security administrator wants to begin inspecting bulk user HTTPS traffic flows egressing out of the internet edge firewall. Which certificate is the best choice to configure as an SSL Forward Trust certificate?. A Machine Certificate for the firewall signed by the organization’s PKI. A web server certificate signed by the organization’s PKI. A subordinate Certificate Authority certificate signed by the organization’s PKI. A self-signed Certificate Authority certificate generated by the firewall.

Question 404# An engineer is configuring secure web access (HTTPS) to a Palo Alto Networks firewall for management. Which profile should be configured to ensure that management access via web browsers is encrypted with a trusted certificate?. A Certificate profile should be configured with a trusted root CA. An SSL/TLS Service profile should be configured with a certificate assigned. An Interface Management profile with HTTP and HTTPS enabled should be configured. An Authentication profile with the allow list of users should be configured.

Question 468# A network security administrator wants to configure SSL inbound inspection. Which three components are necessary for inspecting the HTTPS traffic as it enters the firewall? (Choose thre). An SSL/TLS Service profile. The web server's security certificate with the private key. A Decryption profile. A Decryption policy. The client's security certificate with the private key.

Question 469# You have been asked to implement GlobalProtect for your organization. You have decided on https://gp.mycompany.com for your Portal, and have received the certificate and key. Where would you navigate to on the firewall UI to import the certificate?. Device > Certificate Management > Device Certificates > Certificates. Device Certificates > Certificate Management > Certificates > Device. Device > Device Certificates > Certificate Management > Certificates. Device > Certificate Management > Certificates > Device Certificates.

Question 484# A company requires the firewall to block expired certificates issued by internet-hosted websites. The company plans to implement decryption in the future, but it does not perform SSL Forward Proxy decryption at this tim Without the use of SSL Forward Proxy decryption, how is the firewall still able to identify and block expired certificates issued by internet-hosted websites?. By having a Certificate profile that contains the website's Root CA assigned to the respective Security policy rule. By using SSL Forward Proxy to decrypt SSL and TLS handshake communication and the server/client session keys in order to validate a certificate's authenticity and expiration. By using SSL Forward Proxy to decrypt SSL and TLS handshake communication in order to validate a certificates authenticity and expiration. By having a Decryption profile that blocks sessions with expired certificates in the No Decryption section and assigning it to a No Decrypt policy rule.

Question 492# An administrator is configuring SSL decryption and needs to ensure that all certificates for both SSL Inbound inspection and SSL Forward Proxy are installed properly on the firewall. When certificates are being imported to the firewall for these purposes, which three certificates require a private key? (Choose thre). Forward Untrust certificate. Enterprise Root CA certificate. Forward Trust certificate. End-entity (leaf) certificate. Intermediate certificate(s).

Question 517# An administrator has been tasked with deploying SSL Forward Proxy. Which two types of certificates are used to decrypt the traffic? (Choose two.). Device certificate. Subordinate CA from the administrator’s own PKI infrastructure. Self-signed root CA. External CA certificate.

Question 519# A network security administrator wants to inspect HTTPS traffic from users as it egresses through a firewall to the Internet/Untrust zone from trusted network zones. The security admin wishes to ensure that if users are presented with invalid or untrusted security certificates, the user will see an untrusted certificate warning. What is the best choice for an SSL Forward Untrust certificate?. A self-signed certificate generated on the firewall. A web server certificate signed by the organization’s PKI. A web server certificate signed by an external Certificate Authority. A subordinate Certificate Authority certificate signed by the organization’s PKI.

Question 568# An organization wants to begin decrypting guest and BYOD traffi Which NGFW feature can be used to identify guests and BYOD users, instruct them how to download and install the CA certificate, and clearly notify them that their traffic will be decrypted?. Authentication Portal. SSL Decryption profile. SSL decryption policy. comfort pages.

Question 575# Which two actions must an engineer take to configure SSL Forward Proxy decryption? (Choose two.). Configure the decryption profile. Configure SSL decryption rules. Define a Forward Trust Certificate. Configure a SSL / TLS service profile.

Question 58# Which option would an administrator choose to define the certificate and protocol that Panorama and its managed devices use for SSL/TLS services?. Configure a Decryption Profile and select SSL/TLS services. Set up SSL/TLS under Policies > Service/URL Category > Service. Set up Security policy rule to allow SSL communication. Configure an SSL/TLS Profile.

Question 140# Which administrative authentication method supports authorization by an external service?. Certificates. LDAP. RADIUS. SSH keys.

Question 184# What are three reasons for excluding a site from SSL decryption? (Choose three.). the website is not present in English. unsupported ciphers. certificate pinning. unsupported browser version. mutual authentication.

Question #543 Topic 1 An engineer is configuring a template in Panorama which will contain settings that need to be applied to all firewalls in production. Which three parts of a template an engineer can configure? (Choose three.). A. Service Route Configuration. B. Dynamic Address Groups. C. NTP Server Address. D. Antivirus Profile. E. Authentication Profile.

Question 155# Which two are valid ACC GlobalProtect Activity tab widgets? (Choose two.). A. Successful GlobalProtect Deployed Activity. B. GlobalProtect Deployment Activity. C. Successful GlobalProtect Connection Activity. D. GlobalProtect Quarantine Activity.

Question 235# The UDP-4501 protocol-port is used between which two GlobalProtect components?. A. GlobalProtect app and GlobalProtect satellite. B. GlobalProtect app and GlobalProtect portal. C. GlobalProtect app and GlobalProtect gateway. D. GlobalProtect portal and GlobalProtect gateway.

Question 422# What happens, by default, when the GlobalProtect app fails to establish an IPSec tunnel to the GlobalProtect gateway?. A. It tries to establish a tunnel to the GlobalProtect portal using SSL/TLS. B. It stops the tunnel-establishment processing to the GlobalProtect gateway immediately. C. It tries to establish a tunnel to the GlobalProtect gateway using SSL/TLS. D. It keeps trying to establish an IPSec tunnel to the GlobalProtect gateway.

Question 427# An engineer needs to collect User-ID mappings from the company’s existing proxies. What two methods can be used to pull this data from third party proxies? (Choose two.). A. Client probing. B. XFF Headers. C. Syslog. D. Server Monitoring.

Question 124# Which User-ID method maps IP addresses to usernames for users connecting through a web proxy that has already authenticated the user?. A. syslog listening. B. server monitoring. C. client probing. D. port mapping.

Question 434# What must be configured to apply tags automatically to User-ID logs?. A. User mapping. B. Log Forwarding profile. C. Log settings. D. Group mapping.

Question 211# Which User-ID mapping method should be used in a high-security environment where all IP address-to-user mappings should always be explicitly known?. A. LDAP Server Profile configuration. B. GlobalProtect. C. Windows-based User-ID agent. D. PAN-OS integrated User-ID agent.

Question 539# Information Security is enforcing group-based policies by using security-event monitoring on Windows User-ID agents for IP-to-User mapping in the network. During the rollout, Information Security identified a gap for users authenticating to their VPN and wireless networks. Root cause analysis showed that users were authenticating via RADIUS and that authentication events were not captured on the domain controllers that were being monitored. Information Security found that authentication events existed on the Identity Management solution (IDM). There did not appear to be direct integration between PAN-OS and the IDM solution. How can Information Security extract and learn IP-to-user mapping information from authentication events for VPN and wireless users?. A. Configure the integrated User-ID agent on PAN-OS to accept Syslog messages over TLS. B. Configure the User-ID XML API on PAN-OS firewalls to pull the authentication events directly from the IDM solution. C. Add domain controllers that might be missing to perform security-event monitoring for VPN and wireless users. D. Configure the Windows User-ID agents to monitor the VPN concentrators and wireless controllers for IP-to-User mapping.

Question 156# Which two features can be used to tag a username so that it is included in a dynamic user group? (Choose two.). A. log forwarding auto-tagging. B. XML API. C. GlobalProtect agent. D. User-ID Windows-based agent.

Question 267# Your company has 10 Active Directory domain controllers spread across multiple WAN links. All users authenticate to Active Directory. Each link has substantial network bandwidth to support all mission-critical applications. The firewall's management plane is highly utilized. Given this scenario, which type of User-ID agent is considered a best practice by Palo Alto Networks?. A. PAN-OS integrated agent. B. Citrix terminal server agent with adequate data-plane resources. C. Captive Portal. D. Windows-based User-ID agent on a standalone server.

Question 525# Which three items must be configured to implement application override? (Choose three.). A. Application filter. B. Application override policy rule. C. Custom app. D. Decryption policy rule. E. Security policy rule.

Question 202# What are three valid qualifiers for a Decryption Policy Rule match? (Choose three.). A. App-ID. B. Custom URL Category. C. User-ID. D. Destination Zone. E. Source Interface.

Question 278# An engineer is tasked with enabling SSL decryption across the environment. What are three valid parameters of an SSL Decryption policy? (Choose three.). A. GlobalProtect HIP. B. source users. C. App-ID. D. URL categories. E. source and destination IP addresses.

Question 458# Which two policy components are required to block traffic in real time using a dynamic user group (DUG)? (Choose two.). A. A Decryption policy to decrypt the traffic and see the tag. B. A Deny policy with the “tag” App-ID to block the tagged traffic. C. An Allow policy for the initial traffic. D. A Deny policy for the tagged traffic.

Question 35# A customer has an application that is being identified as unknown-tcp for one of their custom PostgreSQL database connections. Which two configuration options can be used to correctly categorize their custom database application? (Choose two.). A. Application Override policy. B. Security policy to identify the custom application. C. Custom application. D. Custom Service object.

Question 277# What is the best description of the HA4 Keep-alive Threshold (ms)?. A. the timeframe that the local firewall waits before going to Active state when another cluster member is preventing the cluster from fully synchronizing. B. the timeframe within which the firewall must receive keepalives from a cluster member to know that the cluster member is functional. C. the maximum interval between hello packets that are sent to verify that the HA functionality on the other firewall is operational. D. the time that a passive or active-secondary firewall will wait before taking over as the active or active-primary firewall.

Question 284# What best describes the HA Promotion Hold Time?. A. the time that the passive firewall will wait before taking over as the active firewall after communications with the HA peer have been lost. B. the time that is recommended to avoid a failover when both firewalls experience the same link/path monitor failure simultaneously. C. the time that is recommended to avoid an HA failover due to the occasional ¬apping of neighboring devices. D. the time that a passive firewall with a low device priority will wait before taking over as the active firewall it the firewall is operational again.

Question 322# Which three use cases are valid reasons for requiring an Active/Active high availability deployment? (Choose three.). A. The environment requires real full-time redundancy from both firewalls at all times. B. The environment requires that traffic be load-balanced across both firewalls to handle peak traffic spikes. C. The environment requires Layer 2 interfaces in the deployment. D. The environment requires that all configuration must be fully synchronized between both members of the HA pair. E. The environment requires that both firewalls maintain their own routing tables for faster dynamic routing protocol convergence.

Question 457# What is the best description of the Cluster Synchronization Timeout (min)?. A. The maximum interval between hello packets that are sent to verify that the HA functionality on the other firewall is operational. B. The maximum time that the local firewall waits before going to Active state when another cluster member is preventing the cluster from fully synchronizing. C. The timeframe within which the firewall must receive keepalives from a cluster member to know that the cluster member is functional. D. The time that a passive or active-secondary firewall will wait before taking over as the active or active-primary firewall.

Question 495# In an HA failover scenario what happens with sessions decrypted by a SSL Forward Proxy Decryption policy?. A. The existing session is transferred to the active firewall. B. The firewall drops the session. C. The session is sent to fastpath. D. The firewall allows the session but does not decrypt the session.

Question 502# A consultant deploys a PAN-OS 11.0 VM-Series firewall with the Web Proxy feature in Transparent Proxy mode. Which three elements must be in place before a transparent web proxy can function? (Choose three.). A. User-ID for the proxy zone. B. DNS Security license. C. Prisma Access explicit proxy license. D. Cortex Data Lake license. E. Authentication Policy Rule set to default-web-form.