Elevate exam readiness with our newest PCNSE exam dumps

C. External Dynamic Lists do not support SSL connections.

D. A Certificate Profile that contains the CA certificate needs to be selected.

Correct Answer: D

“If the list source is secured with SSL (i.e. lists with an HTTPS URL), enable server authentication. Select a Certificate Profile or create a New Certificate Profile for authenticating the server that hosts the list. The certificate profile you select must have root certificate authority (CA) and intermediate CA certificates that match the certificates installed on the server you are authenticating.”

Question 4:

Which three items are import considerations during SD-WAN configuration planning? (Choose three.)

A. link requirements

B. the name of the ISP

C. IP Addresses

D. branch and hub locations

Correct Answer: ACD

https://docs.paloaltonetworks.com/sd-wan/1-0/sd-wan-admin/sd-wan- overview/plan-sd-wan-configuration

Question 5:

An engineer configures SSL decryption in order to have more visibility to the internal users\’ traffic when it is regressing the firewall. Which three types of interfaces support SSL Forward Proxy? (Choose three.)

A. High availability (HA)

B. Layer 2

C. Virtual Wire

D. Tap

E. Layer 3

Correct Answer: BCE

PAN-OS can decrypt and inspect SSL inbound and outbound connections going through the firewall. SSL decryption can occur on interfaces in virtual wire, Layer 2 or Layer 3 mode https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClmyCAC

Question 6:

When backing up and saving configuration files, what is achieved using only the firewall and is not available in Panorama?

A. Load named configuration snapshot

B. Load configuration version

C. Save candidate config

D. Export device state

Correct Answer: D

Question 7:

A bootstrap USB flash drive has been prepared using a Linux workstation to load the initial configuration of a Palo Alto Networks firewall. The USB flash drive was formatted using file system ntfs and the initial configuration is stored in a file

named init-cfg.txt.

The contents of init-cfg.txt in the USB flash drive are as follows:

The USB flash drive has been inserted in the firewalls\’ USB port, and the firewall has been powered on. Upon boot, the firewall fails to begin the bootstrapping process. The failure is caused because:

A. the bootstrap.xml file is a required file, but it is missing

B. nit-cfg.txt is an incorrect filename, the correct filename should be init-cfg.xml

C. The USB must be formatted using the ext4 file system

D. There must be commas between the parameter names and their values instead of the equal symbols

E. The USB drive has been formatted with an unsupported file system

Correct Answer: E

As per PA it will support FAT32 and ext3 so the correct ans is E ( Unsupported File System )

The USB flash drive that bootstraps a hardware-based Palo Alto Networks firewall must support one of the following:

•

File Allocation Table 32 (FAT32)

•

Third Extended File System (ext3)

Question 8:

DRAG DROP

Below are the steps in the workflow for creating a Best Practice Assessment in a firewall and Panorama configuration Place the steps in order.

Select and Place:

Correct Answer:

Step 1. In either the NGFW or in Panorama, on the Operations/Support tab, download the technical support file.

Step 2. Log in to the Customer Support Portal (CSP) and navigate to Tools > Best Practice Assessment.

Step 3. Upload or drag and drop the technical support file.

Step 4. Map the zone type and area of the architecture to each zone.

Step 5.Follow the steps to download the BPA report bundle.

Question 9:

An administrator sees several inbound sessions identified as unknown-tcp in the Traffic logs. The administrator determines that these sessions are form external users accessing the company\’s proprietary accounting application. The administrator wants to reliably identify this traffic as their accounting application and to scan this traffic for threats.

Which option would achieve this result?

A. Create a custom App-ID and enable scanning on the advanced tab.

B. Create an Application Override policy.

C. Create a custom App-ID and use the “ordered conditions” check box.

D. Create an Application Override policy and custom threat signature for the application.

Correct Answer: A

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClRoCAK

Question 10:

An engineer wants to forward all decrypted traffic on a PA-850 firewall to a forensic tool with a decrypt mirror interface. Which statement is true regarding the configuration of the Decryption Port Mirroring feature?

A. The engineer should install the Decryption Port Mirror license and reboot the firewall.

B. The PA-850 firewall does not support decrypt mirror interface, so the engineer needs to upgrade the firewall to PA-3200 series.

C. The engineer must assign an IP from the same subnet with the forensic tool to the decrypt mirror interface.

D. The engineer must assign the related virtual-router to the decrypt mirror interface.

Correct Answer: A

https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/decryption/configure-decryption-port-mirroring

Question 11:

An administrator is receiving complaints about application performance degradation. After checking the ACC, the administrator observes that there is an excessive amount of VoIP traffic. Which three elements should the administrator configure to address this issue? (Choose three.)

A. A QoS policy for each application

B. An Application Override policy for the SIP traffic

C. A QoS profile defining traffic classes

D. QoS on the ingress interface for the traffic flows

E. QoS on the egress interface for the traffic flows

Correct Answer: ACE

The ingress interface for QoS traffic is the interface on which the traffic enters the firewall. The egress interface for QoS traffic is the interface that traffic leaves the firewall from. QoS is always enabled and enforced on the egress interface for a traffic flow. The egress interface in a QoS configuration can either be the external- or internal-facing interface of the firewall, depending on the flow of the traffic receiving QoS treatment.

https://docs.paloaltonetworks.com/pan-os/11-0/pan-os-admin/quality-of-service/qos-concepts/qos-egress-interface

Question 12:

An administrator has been asked to configure active/passive HA for a pair of Palo Alto Networks NGFWs. The administrator assigns priority 100 to the active firewall. Which priority is correct for the passive firewall?

A. 0

B. 99

C. 1

D. 255

Correct Answer: D

Reference:

https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/framemaker/71/pan- os/pan-os/section_5.pdf (page 9)

https://docs.paloaltonetworks.com/content/dam/techdocs/en_US/pdf/pan-os/10-0/pan-os- admin/pan-os-admin.pdf page 315

Question 13:

A web server is hosted in the DMZ, and the server is configured to listen for incoming connections only on TCP port 8080. A Security policy rule allowing access from the Trust zone to the DMZ zone need to be configured to enable we browsing access to the server.

Which application and service need to be configured to allow only cleartext web-browsing traffic to thins server on tcp/8080.

A. application: web-browsing; service: application-default

B. application: web-browsing; service: service-https

C. application: ssl; service: any

D. application: web-browsing; service: (custom with destination TCP port 8080)

Correct Answer: D

If you check in the FW the default port for web-browsing is TCP 80, so you will need a custom app. admin@PA-LAB-01# show predefined application web-browsing web-browsing { category general-internet; subcategory internet-utility; technology browser- based; analysis \’Web browsing continues to evolve. Initially used to simply view HTML formatted information, web browsers have become the client, through which, users can access new applications that provide functionality far beyond simple information browsing. These applications include web mail, instant messaging, streaming media, web conferencing, blogs, file sharing and other social networkingapplications. Much of the plain web-browsing activities has effectively been overshadowed by all the other applications. } default { port tcp/80; } tunnel-applications http-proxy; risk 4; } [edit]

Question 14:

An administrator has enabled OSPF on a virtual router on the NGFW. OSPF is not adding new routes to the virtual router. Which two options enable the administrator to troubleshoot this issue? (Choose two.)

A. View Runtime Stats in the virtual router.

B. View System logs.

C. Add a redistribution profile to forward as BGP updates.

D. Perform a traffic pcap at the routing stage.

Correct Answer: AB

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000CldcCAC

Question 15:

Which type of policy in Palo Alto Networks firewalls can use Device-ID as a match condition?

A. NAT

B. DOS protection

C. QoS

D. Tunnel inspection

Correct Answer: C

The type of policy in Palo Alto Networks firewalls that can use Device-ID as a match condition is QoS. This is because Device-ID is a feature that allows the firewall to identify and classify devices on the network based on their characteristics, such as vendor, model, OS, and role1. QoS policies are used to allocate bandwidth and prioritize traffic based on various criteria, such as application, user, source, destination, and device2. By using Device-ID as a match condition in QoS policies, the firewall can apply different QoS actions to different types of devices, such as IoT devices, laptops, smartphones, etc3. This can help optimize the network performance and ensure the quality of service for critical applications and devices.