Palo-Alto-Networks PCNSE Exam Dumps

What is the best description of the HA4 Keep-Alive Threshold (ms)?

A. the maximum interval between hello packets that are sent to verify that the HA functionality on the other firewall is operational.
B. The time that a passive or active-secondary firewall will wait before taking over as the active or active-primary firewall
C. the timeframe within which the firewall must receive keepalives from a cluster member to know that the cluster member is functional.
D. The timeframe that the local firewall wait before going to Active state when another cluster member is preventing the cluster from fully synchronizing.

Answer: C

Where is information about packet buffer protection logged?

A. Alert entries are in the Alarms log Entries for dropped traffic, discarded sessions, and blocked IP address are in the Threat log
B. All entries are in the System log
C. Alert entries are in the System log Entries for dropped traffic, discarded sessions and blocked IP addresses are in the Threat log
D. All entries are in the Alarms log

Answer: B

A network security engineer wants to prevent resource-consumption issues on the firewall. Which strategy is consistent with decryption best practices to ensure consistent performance?

A. Use RSA in a Decryption profile tor higher-priority and higher-risk traffic, and use less processor-intensive decryption methods for lower-risk traffic
B. Use PFS in a Decryption profile for higher-priority and higher-risk traffic, and use less processor-intensive decryption methods for tower-risk traffic 
C. Use Decryption profiles to downgrade processor-intensive ciphers to ciphers that are less processor-intensive
D. Use Decryption profiles to drop traffic that uses processor-intensive ciphers

Answer: B

What can you use with Global Protect to assign user-specific client certificates to each GlobalProtect user?

A. SSL/TLS Service profile
B. Certificate profile
C. SCEP
D. OCSP Responder

Answer: C

Which GlobalProtect gateway setting is required to enable split-tunneling by access route, destination domain, and application?

A. No Direct Access to local networks
B. Satellite mode
C. Tunnel mode
D. IPSec mode

Answer: A

When configuring forward error correction (FEC) for PAN-OS SD-WAN, an administrator would turn on the feature inside which type of SD-WAN profile?

A. Certificate profile
B. Path Quality profile
C. SD-WAN Interface profile
D. Traffic Distribution profile

Answer: C

An existing NGFW customer requires direct interne! access offload locally at each site and iPSec connectivity to all branches over public internet. One requirement is mat no new SDWAN hardware be introduced to the environment. What is the best solution for the customer?

A. Configure a remote network on PAN-OS
B. Upgrade to a PAN-OS SD-WAN subscription
C. Deploy Prisma SD-WAN with Prisma Access
D. Configure policy-based forwarding

Answer: B

What best describes the HA Promotion Hold Time?

A. the time that is recommended to avoid an HA failover due to the occasional flapping of neighboring devices
B. the time that is recommended to avoid a failover when both firewalls experience the same link/path monitor failure simultaneously
C. the time that the passive firewall will wait before taking over as the active firewall after communications with the HA peer have been lost
D. the time that a passive firewall with a low device priority will wait before taking over as the active firewall if the firewall is operational again

Answer: C

When planning to configure SSL Froward Proxy on a PA 5260, a user asks how SSL decryption can be implemented using phased approach in alignment with Palo AltoNetworks best practices What should you recommend?

A. Enable SSL decryption for known malicious source IP addresses
B. Enable SSL decryption for source users and known malicious URL categories
C. Enable SSL decryption for malicious source users
D. Enable SSL decryption for known malicious destination IP addresses

Answer: B

To ensure that a Security policy has the highest priority, how should an administrator configure a Security policy in the device group hierarchy?

A. Add the policy in the shared device group as a pre-rule
B. Reference the targeted device's templates in the target device group
C. Add the policy to the target device group and apply a master device to the device group
D. Clone the security policy and add it to the other device groups

Answer: A

A firewall administrator requires an A/P HA pair to fail over more quickly due to critical business application uptime requirements.What is the correct setting?

A. Change the HA timer profile to "user-defined" and manually set the timers.
B. Change the HA timer profile to "fast".
C. Change the HA timer profile to "aggressive" or customize the settings in advanced profile.
D. Change the HA timer profile to "quick" and customize in advanced profile.

Answer: C

An administrator receives the following error message: "IKE phase-2 negotiation failed when processing Proxy ID. Received local id 192. 168.33.33/24 type IPv4 address protocol 0 port 0, received remote id 172.16.33.33/24 type IPv4 address protocol 0 port 0." How should the administrator identify the root cause of this error message?

A. Verify that the IP addresses can be pinged and that routing issues are not causing the connection failure.
B. Check whether the VPN peer on one end is set up correctly using policy-based VPN.
C. In the IKE Gateway configuration, verify that the IP address for each VPN peer is accurate.
D. In the IPSec Crypto profile configuration, verify that PFS is either enabled on both VPN peers or disabled on both VPN peers.

Answer: B

Which statement is correct given the following message from the PanGPA log on the GlobalProtect app? Failed to connect to server at port:47 67

A. The PanGPS process failed to connect to the PanGPA process on port 4767
B. The GlobalProtect app failed to connect to the GlobalProtect Portal on port 4767
C. The PanGPA process failed to connect to the PanGPS process on port 4767
D. The GlobalProtect app failed to connect to the GlobalProtect Gateway on port 4767

Answer: D

Which two firewall components enable you to configure SYN flood protection thresholds? (Choose two)

A. Dos Protection policy
B. QoS Profile
C. Zone Protection Profile
D. DoS Protection Profile

Answer: C,D

Your company has to Active Directory domain controllers spread across multiple WAN links All users authenticate to Active Directory Each link has substantial network bandwidth tosupport all mission-critical applications. The firewalls management plane is highly utilized Given this scenario which type of User-ID agent is considered a best practice by Palo AltoNetworks?

A. PAN-OS integrated agent
B. Captive Portal
C. Citrix terminal server agent with adequate data-plane resources
D. Windows-based User-ID agent on a standalone server

Answer: A

An administrator has purchased WildFire subscriptions for 90 firewalls globally. What should the administrator consider with regards to the WildFire infrastructure?

A. To comply with data privacy regulations, WildFire signatures and verdicts are not shared globally.
B. Palo Alto Networks owns and maintains one global cloud and four WildFire regional clouds.
C. Each WildFire cloud analyzes samples and generates malware signatures and verdicts independently of the other WildFire clouds.
D. The WildFire Global Cloud only provides bare metal analysis.

Answer: C

Which GlobalProtect component must be configured to enable Clientless VPN?

A. GlobalProtect satellite
B. GlobalProtect app
C. GlobalProtect portal
D. GlobalProtect gateway

Answer: C

An administrator is building Security rules within a device group to block traffic to and from malicious locations How should those rules be configured to ensure that they are evaluated with a high priority?

A. Create the appropriate rules with a Block action and apply them at the top of the Default Rules
B. Create the appropriate rules with a Block action and apply them at the top of the Security Post-Rules.
C. Create the appropriate rules with a Block action and apply them at the top of the local firewall Security rules.
D. Create the appropriate rules with a Block action and apply them at the top of the Security Pre-Rules

Answer: A

What are three types of Decryption Policy rules? (Choose three.)

A. SSL Inbound Inspection
B. SSH Proxy
C. SSL Forward Proxy
D. Decryption Broker
E. Decryption Mirror

Answer: A,B,C

A company wants to use their Active Directory groups to simplify their Security policy creation from Panorama. Which configuration is necessary to retrieve groups from Panorama?

A. Configure an LDAP Server profile and enable the User-ID service on the management interface.
B. Configure a group mapping profile to retrieve the groups in the target template.
C. Configure a Data Redistribution Agent to receive IP User Mappings from User-ID agents.
D. Configure a master device within the device groups.

Answer: D

A customer is replacing their legacy remote access VPN solution The current solution is in place to secure only internet egress for the connected clients Prisma Access has beenselected to replace the current remote access VPN solution During onboarding the following options and licenses were selected and enabled - Prisma Access for Remote Networks 300Mbps- Prisma Access for Mobile Users 1500 Users - Cortex Data Lake 2TB - Trusted Zones trust - Untrusted Zones untrust - Parent Device Group sharedHow can you configure Prisma Access to provide the same level of access as the current VPN solution?

A. Configure mobile users with trust-to-untrust Security policy rules to allow the desired traffic outbound to the internet
B. Configure mobile users with a service connection and trust-to-trust Security policy rules to allow the desired traffic outbound to the internet
C. Configure remote networks with a service connection and trust-to-untrust Security policy rules to allow the desired traffic outbound to the internet
D. Configure remote networks with trust-to-trust Security policy rules to allow the desired traffic outbound to the internet

Answer: D

What are three reasons why an installed session can be identified with the application incomplete" tag? (Choose three.)

A. The TCP connection was terminated without identifying any application data
B. The client sent a TCP segment with the PUSH flag set
C. There is not enough application data after the TCP connection was established
D. The TCP connection did not fully establish
E. There was no application data after the TCP connection was established

Answer: A,D,E

Cortex XDR notifies an administrator about grayware on the endpoints. There are no entnes about grayware in any of the logs of the corresponding firewall. Which setting can the administrator configure on the firewall to log grayware verdicts? 

A. within the log settings option in the Device tab
B. within the log forwarding profile attached to the Security policy rule
C. in WildFire General Settings, select "Report Grayware Files"
D. in Threat General Settings^ select "Report Grayware Files"

Answer: D

What are three reasons for excluding a site from SSL decryption? (Choose three.)

A. the website is not present in English
B. unsupported ciphers
C. certificate pinning
D. unsupported browser version
E. mutual authentication

Answer: B,C,E

What happens when an A P firewall cluster synchronies IPsec tunnel security associations (SAs)?

A. Phase 2 SAs are synchronized over HA2 finks
B. Phase 1 and Phase 2 SAs are synchronized over HA2 links
C. Phase 1 SAs are synchronized over HA1 links
D. Phase 1 and Phase 2 SAs are synchronized over HA3 links

Answer: A

A network security engineer must implement Quality of Service policies to ensure specific levels of delivery guarantees for various applications in the environment They want toensure that they know as much as they can about QoS before deploying. Which statement about the QoS feature is correct?

A. QoS is only supported on firewalls that have a single virtual system configured
B. QoS can be used in conjunction with SSL decryption
C. QoS is only supported on hardware firewalls
D. QoS can be used on firewalls with multiple virtual systems configured

Answer: C

An administrator analyzes the following portion of a VPN system log and notices the following issue "Received local id 10 10 1 4/24 type IPv4 address protocol 0 port 0, received remote id10.1.10.4/24 type IPv4 address protocol 0 port 0." What is the cause of the issue?

A. IPSec crypto profile mismatch
B. IPSec protocol mismatch
C. mismatched Proxy-IDs
D. bad local and peer identification IP addresses in the IKE gateway

Answer: C

What is considered the best practice with regards to zone protection?

A. Review DoS threat activity (ACC > Block Activity) and look for patterns of abuse
B. Use separate log-forwarding profiles to forward DoS and zone threshold event logs separately from other threat logs
C. If the levels of zone and DoS protection consume too many firewall resources, disable zone protection
D. Set the Alarm Rate threshold for event-log messages to high severity or critical severity

Answer: C