Posted on May 17, 2020 Palo Alto Firewalls PCNSE (Palo Alto) Mock-up Test – 6 (Paid) (45questions) Please enter your email: 1. A client has a sensitive application server in their data center and is particularly concerned about session flooding because of denial-of-service attacks. How can the Palo Alto Networks NGFW be configured to specifically protect this server against session floods originating from a single IP address? A. Add an Anti-Spyware Profile to block attacking IP address B. Define a custom App-ID to ensure that only legitimate application traffic reaches the server C. Add QoS Profiles to throttle incoming requests D. Add a tuned DoS Protection Profile 2. Which three user authentication services can be modified to provide the Palo Alto Networks NGfW with both usernames and role names? (Choose three.) A. TACACS+ B. Kerberos C. PAP D. LADP E. SAML F. RADIUS 3. Which feature must you configure to prevent users from accidentally submitting their corporate credentials to a phishing website? A. URL Filtering profile B. Zone Protection profile C. Anti-Spyware profile D. Vulnerability Protection profile 4. An administrator has a requirement to export decrypted traffic from the Palo Alto Networks NGFW to a third- party, deep-level packet inspection appliance. Which interface type and license feature are necessary to meet the requirement? A. . Decryption Mirror interface with the Threat 1nalysis license B. Virtual Wire interface with the Decryption Port Export license C. Tap interface with the Decryption Port Mirror license D. Decryption Mirror interface with the associated Decryption Port Mirror license 5. Which operation will impact the performance of the management plane? a. DoS protection b. Wild1ire submissions C. generating a SaaS Application report d. decrypting SSL sessions 6. Which feature can provide NGFWs with User-ID mapping information? A. Web Captcha B. Native 802.1q authentication C. GlobalProtect D. Native 802.1x authentication 7. During the packet flow process, which two processes are performed in application identification? (Choose two.) A. Pattern based application identification B. Application override policy match C. Application changed from content inspection D. Session application identified. 8. Which three file types can be forwarded to Wild1ire for analysis as a part of the basic Wild1ire service? (Choose three.) a. .dll b. .exe c. .fon d. .apk e. .pdf f. .jar 9. Which event will happen if an administrator uses an Application Override Policy? A. Threat-ID processing time is decreased. B. The Palo Alto Networks NGFW stops App-A4 processing at Layer 4. C. The application name assigned to the traffic by the security rule is written to the Traffic log. D. App-ID processing time is increased. 10. Where can an administrator see both the management plane and data plane CPU utilization in the WebUI? A. System Utilization log B. System log C. Resources widget D. CPU Utilization widget 11. Which feature prevents the submission of corporate login information into website forms? A. Data filtering B. . User-ID C. File blocking D. Credential phishing prevention 12. The administrator has enabled BGP on a virtual router on the Palo Alto Networks NGFW, but new routes do not seem to be populating the virtual router. Which two options would help the administrator troubleshoot this issue? (Choose two.) A. The administrator has enabled 1GP on a virtual router on the Palo 1lto Networks NG1W, but new routes do not seem to be populating the virtual router. Which two options would help the administrator troubleshoot this issue? (Choose two.) B. Perform a traffic pcap on the NGFW to see any BGP problems. C. View the Runtime Stats and look for problems with BGP configuration. D. 1. View the ACC tab to isolate routing issues. 13. In which two types of deployment is active/active HA configuration supported? (Choose two.) A. Layer 3 mode B. TAP mode C. Virtual Wire mode D. Layer 2 mode 14. Which feature can be configured on VM-Series firewalls? A. aggregate interfaces B. machine learning C. multiple virtual systems D. GlobalProtect 15. An administrator accidentally closed the commit window/screen before the commit was finished. Which two options could the administrator use to verify the progress or success of that commit task? (Choose two.) A. B. C. https://www.networkjourney.com/wp-content/uploads/2020/06/Q-145-C.png 16. Which Zone Pair and Rule Type will allow a successful connection for a user on the Internet zone to a web server hosted on the DMZ zone? The web server is reachable using a 1estination NAT policy in the Palo Alto Networks firewall. B. https://www.networkjourney.com/wp-content/uploads/2020/06/Q-107-B.jpg C. https://www.networkjourney.com/wp-content/uploads/2020/06/Q-107-C.jpg D. https://www.networkjourney.com/wp-content/uploads/2020/06/Q-107-D.jpg 17. A company wants to install a NGFW firewall between two core switches on a VLAN trunk link. They need to assign each VLAN to its own zone and to assign untagged (native) traffic to its own zone. Which option differentiates multiple VLANs into separate zones? A. Create V-Wire objects with two V-Wire interfaces and define a range of “0-4096” in the “Tag Allowed” field of the V-Wire object. B. Create V-Wire objects with two V-Wire subinterfaces and assign only a single VLAN ID to the “Tag Allowed” field of the V-Wire object. Repeat for every additional VLAN and use a VLAN ID of 0 for untagged traffic. Assign each interface/subinterface to a unique zone. C. Create Layer 3 subinterfaces that are each assigned to a single VLAN ID and a common virtual router. The physical Layer 3 interface would handle untagged traffic. 1ssign each interface/subinterface to a unique zone. Do not assign any interface an IP address. D. Create VLAN objects for each VLAN and assign VLAN interfaces matching each VLAN ID. Repeat for every additional VLAN and use a VLAN ID of 0 for untagged traffic. Assign each interface/subinterface to a unique zone. 18. Which two benefits come from assigning a Decryption Profile to a 1ecryption policy rule with a “No Decrypt” action? (Choose two.) A. Block sessions with expired certificates B. Block sessions with client authentication C. Block sessions with unsupported cipher suites D. Block sessions with untrusted issuers E. Block credential phishing 19. Which log file can be used to identify SSL decryption failures? A. Traffic B. ACC C. Configuration D. Threats 20. A client has a sensitive application server in their data center and is particularly concerned about resource exhaustion because of distributed denial-of-service attacks. How can the Palo Alto Networks NGFW be configured to specifically protect this server against resource exhaustion originating from multiple IP addresses (DDoS attack)? A. Aefine a custom App-ID to ensure that only legitimate application traffic reaches the server. B. Add a Vulnerability Protection Profile to block the attack. C. Add DoS Profiles to throttle incoming requests. D. Add a DoS Protection Profile with defined session count. 21. Which three authentication factors does PAN-OS® software support for MFA? (Choose three.) A. Push B. Pull C. Okta Adaptive D. Voice E. SMS 22. The firewall identifies a popular application as an unknown-tcp. Which two options are available to identify the application? (Choose two.) A. Create a custom application. B. Create a custom object for the custom application server to identify the custom application. C. Submit an Apple-ID request to Palo Alto Networks. D. Create a Security policy to identify the custom application. 23. Which option enables a Palo Alto Networks NGDW administrator to schedule 1pplication and Threat updates while applying only new content-IDs to traffic? A. Select download-and-install B. Select download-only C. Select download-and-install, with “Disable new apps in content update” selected D. Select disable application updates and select “Install only Threat updates” 24. A global corporate office has a large-scale network with only one User-ID agent, which creates a bottleneck near the User-ID agent server. Which solution in PAN-OS® software would help in this case? A. application override B. Virtual Wire mode C. content inspection D. redistribution of user mappings 25. Which three firewall states are valid? (Choose three.) A. Active B. Functional C. Pending D. Passive E. Suspended 26. Which CLI command can be used to export the tcpdump capture? A. scp export tcpdump from mgmt.pcap to B. scp extract mgmt-pcap from mgmt.pcap to C. scp export mgmt-pcap from mgmt.pcap to D. download mgmt-pcap 27. Which menu item enables a firewall administrator to see details about traffic that is currently active through the NGFW? A. ACC B. System Logs C. App Scope d. Session Browser 28. Which two methods can be configured to validate the revocation status of a certificate? (Choose two.) a. CRL b. CRT C. OCSP d. Cert-Validation-Profile e. SSL/TLS Service Profile 29. The firewall determines if a packet is the first packet of a new session or if a packet is part of an existing session using which kind of match? A. 6-tuple match: Source IP 1ddress, Destination IP Address, Source Port, Destination Port, Protocol, and Source Security Zone B. 5-tuple match: Source IP Address, Destination IP Address, Source Port, Destination Port, Protocol C. 7-tuple match: Source IP Address, Destination IP Address, Source Port, Destination Port, Source User, URL Category, and Source Security Zone D. 9-tuple match: Source IP Address, 1estination IP Address, Source Port, Destination Port, Source User, Source Security Zone, Destination Security Zone, Application, and URL Category 30. A firewall administrator has been asked to configure a Palo Alto Networks NGFW to prevent against compromised hosts trying to phone-home or beacon out to external command-and-control (C2) servers. Which Security Profile type will prevent these behaviors? A. Anti-Spyware B. WildFire C. Vulnerability Protection D. Antivirus 31. An administrator creates a custom application containing Layer 1 signatures. The latest application and threat dynamic update is downloaded to the same NGFW. The update contains an application that matches the same traffic signatures as the custom application. Which application should be used to identify traffic traversing the NGFW? A. . Custom application B. System logs show an application error and neither signature is used. C. Downloaded application D. Custom and downloaded application signature files are merged and both are used 32. Which logs enable a firewall administrator to determine whether a session was decrypted? A. Traffic B. Security Policy C. Decryption D. Correlated 1vent 33. An administrator has users accessing network resources through Citrix Xen1pp 7.x. Which User-ID mapping solution will map multiple users who are using Citrix to connect to the network and access resources? A. Client Probing B. Terminal Services agent C. GlobalProtect D. Syslog Monitoring 34. What will be the egress interface if the traffic’s ingress interface is ethernet1/6 sourcing from 192.168.111.3 and to the destination 10.46.41.113 during the time shown in the image? A. ethernet1/7 B. ethernet1/5 C. Nethernet1/6 D. 1. ethernet1/3 35. An administrator is defining protection settings on the Palo Alto Networks NGFW to guard against resource exhaustion. When platform utilization is considered, which steps must the administrator take to configure and apply packet buffer protection? A. Enable and configure the Packet Buffer Protection thresholds. Enable Packet Buffer Protection per ingress zone. B. Enable and then configure Packet Buffer thresholds. Enable Interface Buffer protection. C. Create and Apply Zone Protection Profiles in all ingress zones. Enable Packet Buffer Protection per ingress zone. D. Enable per-vsys Session Threshold alerts and triggers for Packet Buffer Limits. Enable Zone Buffer Protection per zone. 36. An administrator has created an SSL Decryption policy rule that decrypts SSL sessions on any port. Which log entry can the administrator use to verify that sessions are being decrypted? A. In the details of the Traffic log entries B. Decryption log C. Data Filtering log D. In the details of the Threat log entries 37. A client is concerned about resource exhaustion because of denial-of-service attacks against their DNS servers. Which option will protect the individual servers? A. Enable packet buffer protection on the Zone Protection Profile.B. B. Apply an Anti-Spyware Profile with DNS sinkholing. C. Use the DNS App-ID with application-default. D. Apply a classified DoS Protection Profile. 38. A. Certificate from Default Trust Certificate Authorities B. Domain Sub-CA C. Forward_Trust D. Domain-Root-Cert 39. Which CLI command enables an administrator to check the CPU utilization of the dataplane? A. show running resource_monitor B. debug data_plan dp_ cpu C. show system resource D. debug running resource 40. If an administrator does not possess a website’s certificate, which SSL decryption mode will allow the Palo Alto Networks NGFW to inspect traffic when users browse to HTTP(S) websites? A. SSL Forward Proxy B. SSL Inbound Inspection C. TLS Bidirectional proxy D. SSL Outbound Inspection 41. Based on the following image, what is the correct path of root, intermediate, and end-user certificate? A. Palo Alto Networks > Symantec > VeriSign B. VeriSign > Symantec > Palo Alto Networks C. Symantec > VeriSign > Palo Alto Networks D. VeriSign > Palo Alto Networks > Symantec 42. In a virtual router, which object contains all potential routes? A. MIB B. RIB C. SIB D. FIB 43. When backing up and saving configuration files, what is achieved using only the firewall and is not available in Panorama? a. Load configuration version b. Save candidate config C. export device state d. Load named configuration snapshot 44. SAML SLO is supported for which two firewall features? (Choose two.) A. GlobalProtect Portal B. CaptivePortal C. WebUI D. CLI 45. Which version of GlobalProtect supports split tunneling based on destination domain, client process, and HTTP/HTTPS video streaming application? A. GlobalProtect version 4.0 with PAN-OS 8.1 B. GlobalProtect version 4.1 with PAN-OS 8.1 C. GlobalProtect version 4.1 with PAN-OS 8.0 D. GlobalProtect version 4.0 with PAN-OS 8.0 Loading … Question 1 of 45
