Test - Palo Alto Networks Certified

Network Security Engineer (PCNSE):

Exam Practice Questions

PCNSE Practice Questions

Question 1 of 60.

A company is deploying a pair of PA-5060 firewalls in an environment requiring support for asymmetric routing.
Which High Availability (HA) mode best supports this design requirement?

Active-Passive mode with "tcp-reject-non-syn" set to "no"

HA-LiteActive-Passivemode

Active-Passive mode

Active-Active mode

Mark for follow up

Question 2 of 60.

A company uses Active Directory and RADIUS to capture User-ID information and implement user-based
policies to control web access. Many Linux and Mac computers in the environment that do not have IP-
address-to-user mappings. What is the best way to collect user information for those systems?

Load the GlobalProtect client and connect to the company GlobalProtect environment

Install the User-ID agent on the systems to collect user information

Install a Terminal Services agent in the environment

Use Captive Portal to capture user information

Mark for follow up

Question 3 of 60.
The WildFire Cloud or WF-500 appliance provide information to which two Palo Alto Networks security
services? (Choose two.)

Threat Prevention

URLFiltering

PAN-OS

App-ID

GlobalProtect Data File

Mark for follow up

Question 4 of 60.

A company has a pair of PA-3050s running PAN-OS 6.0.4. Antivirus, Threat Prevention, and URL Filtering
Profiles are in place and properly configured on both inbound and outbound policies. A Security Operation
Center (SOC) engineer starts his shift and faces the traffic logs presented in the screenshot shown above. He
notices that the traffic is being allowed outbound. Which actions should the SOC engineer take to safely allow
known but not yet qualified applications, without disrupting the remaining traffic policies?

Create Application Override policies after a packet capture to identify the applications that are triggering
the "unknown-tcp". Then create new custom applications for those policies, and add these new policies above
the current policy that allows the traffic.

Create an Application Override policy after a packet capture to identify the applications that are triggering
the "unknown-tcp". Then create a new custom application, and add this new policy below the current policy
that is blocking the traffic.

Create a policy to deny only the inbound traffic because "unknown-tcp" happens when a TCP handshake
hasn't occurred properly. Then add this new policy above the current policy that allows the traffic.

Create a policy to deny all traffic inbound or outbound with the application "unknown-tcp". Then place the
new policy above the current policy that allows the traffic.

Mark for follow up

Question 5 of 60.

Which three engines are built into the Single-Pass Parallel Processing Architecture? (Choose three.)

Application Identification (App-ID)

Threat Identification (Threat-ID)

Group Identification (Group-ID)

User Identification (User-ID)

Content Identification (Content-ID)

Mark for follow up

Question 6 of 60.

A US-CERT notification is published regarding a newly-discovered piece of malware. The infection is spread
using spear phishing e-mails that prompt users to click an HTTP hyperlink, which then downloads the malware.
Palo Alto Networks has just released signatures to detect this malware as a high severity threat and the firewall
is configured to dynamically update to the latest databases automatically. Which component and
implementation will detect and prevent this threat?

Zone Protection profiles applied to the external zone with Packet Based Attack Protection with action set
to block high severity threats

Vulnerability Protection profiles applied to inbound and outbound security policies with action set to block
high severity threats

Antivirus profiles applied to outbound security policy rules with action set to block high severity threats

Antivirus profiles applied to inbound security policies with action set to block high severity threats

Mark for follow up

Question 7 of 60.

A Security policy accepts new FTP traffic sessions between 8:00 a.m. and 5:00 p.m. What happens to an
already-accepted and running FTP session at 5:01 p.m.?

The session is terminated, and the initiator must establish a new session.

The session is re-evaluated if the default configuration setting “Rematch all sessions on config policy
change” is enabled.

The session is re-evaluated to determine whether it is allowed under a different policy rule.

The session continues to run, because already-accepted sessions are not re- evaluated.

Mark for follow up

Question 8 of 60.

Which component must be configured before a User Activity report can be generated?

GlobalProtect

User Identification

SSLDecryption

Log Forwarding

Mark for follow up

Question 9 of 60.

When would there be a benefit from the creation of a custom application signature?

When the application can be used to send and receive malware

When a company wants to know who is watching World Cup soccer matches during work hours

When the risk level of a Palo Alto Networks-provided application signature needs to be changed

When the ability of an application to port hop needs to be eliminated

Mark for follow up

Question 10 of 60.

Where in the firewall GUI can an administrator see how many sessions of web-browsing traffic have occurred
in the last day?

ACC->Application

Objects->Applications->web-browsing

Monitor->App Scope->Summary

Monitor->Session Browser

Mark for follow up

Question 11 of 60.

Which feature will control how the firewall handles web servers with expired certificates when decrypting SSL?

Certificate Profile

Default Trusted Certification Authorities

Data Filtering Profile

Decryption Profile

Mark for follow up

Question 12 of 60.

Which GlobalProtect deployment strategy could be leveraged to expand a company's global VPN footprint
without incurring hosting fees for physical equipment?

GlobalProtect Satellite

VM-Series for AWS (Amazon Web Services)

MDM (Mobile Device Manager)

 LSVPN (Large Scale VPN)

Mark for follow up

Question 13 of 60.

Which statement is true of an OSPFv3 configuration on the Palo Alto Networks firewall?

It requires MD5 authentication.

It supports dynamic interfaces such as DHCP.

It is enabled per-subnet instead of per-link.

It uses IPv4 addresses for the area ID.

Mark for follow up

Question 14 of 60.

A website is presenting an RSA 2048-bit key. By default, what will the size of the key in the certificate sent by
the firewall to the client be when doing SSL Decryption?

512 bits

4096 bits

2048 bits

1024 bits

Mark for follow up

Question 15 of 60.

Which three inspections can be performed with a next-generation firewall but NOT with a legacy firewall?
(Choose three.)

Removing from the session table any TCP session without traffic for 3600 seconds

Recognizing when SSH sessions are using SSH v1 instead of SSH v2

Validating that UDP port 53 packets are not being used to tunnel data for another protocol

Identifying unauthorized applications that attempt to connect over non-standard ports

Allowing a packet through from an external DNS server only if an internal host recently queried that DNS
server

Mark for follow up

Question 16 of 60.

Which Virtual Wire Tag Allowed value(s) will allow only untagged traffic to traverse a virtual wire?

"any"

0-4094

1-4094

Mark for follow up

Question 17 of 60.

Which CLI command would allow an administrator to assess CPU usage by process on the management
plane?

show system resources

show process list

show running resource monitor

show system statistics

Mark for follow up

Question 18 of 60.

A company has a Palo Alto Networks firewall configured with the following three zones: Internet DMZ Inside.
All users are located on the Inside zone and are using public DNS servers for name resolution. The company
hosts a publicly accessible web application on a server in the DMZ zone. Which NAT rule configuration will
allow users on the Inside zone to access the web application using its public IP address?

Two zone U-turn NAT

Bi-directional NAT

Explicit No-NAT Policy Rule

Three zone U-turn NAT

Mark for follow up

Question 19 of 60.

Each week, a company wants to know the list of employees in the "mgt" group who are the biggest users of
network bandwidth. Assume that the "mgt" group is properly configured on the company's Domain Controller,
and that User-ID also is configured correctly. The firewall administrator starts to create the Custom report
shown above: What must the administrator do or change to complete this Custom report?

'Last 24 Hrs' must be selected from the 'Time Frame' option.

Explicitly set the 'Sort By' option.

'Source User' must be selected from the 'Available Columns' option.

'Application Statistics' must be selected from the 'Database' option.

Mark for follow up

Question 20 of 60.

What statement is true about the Highlight Unused Rules option for a Security Policy?

A management plane restart will clear the counters for used/unused rules.

A dataplane restart will clear the counters for used/unused rules.

The counters for used/unused rules can be cleared using the "reset counter global name rule-use" CLI
command.

The counters for used/unused rules can be cleared using the reset counter global name rule-use CLI
command.

Mark for follow up

Question 21 of 60.

Which action will display the NAT policies that are being enforced by the firewall?

From the command line, check the status of the NAT pool on the data plane using the command "nat-
rule-ippool".

View the NAT policies currently displayed by the management plane in the GUI.

Navigate to the Policies tab in the GUI, select NAT from the configuration tree and check the box marked
"Highlight Unused Rules".

From the command line, check the NAT policies loaded on the data plane using the command "show
running nat-policy".

Mark for follow up

Question 22 of 60.

Which two techniques become available only after upgrading from a legacy firewall to a Palo Alto Networks
next-generation firewall? (Choose two.)

Differentiating between traffic for the base Facebook application and traffic using Facebook Chat
 Limiting applications to using only their standard port numbers

Distinguishing between SSH v1 and SSH v2 in a traffic stream

Dynamically opening small holes in the firewall to permit FTP data transfers, instead of being required to
open all high port numbers

Mark for follow up

Question 23 of 60.

What is the proper method to determine which active sessions on the firewall matched a security rule named
"ftp-out"?

Apply the filter "(rule eq ftp-out) and (subtype eq start)" to the traffic logs.

In the CLI, run the command "show session all filter rule ftp-out".

In the CLI, run the command "show session all filter application ftp".

Apply the filter "(application eq ftp) and (subtype eq end)" to the traffic logs.

Mark for follow up

Question 24 of 60.

A workstation at a company was infected with malware on September 18, 2014. Palo Alto Networks released
an antivirus signature for that malware on September 17, 2014. The company's firewall is licensed with Threat
Prevention and URL Filtering. The Threat log in the Monitor tab of the firewall shows no indications of traffic
related to the infection. However, the Traffic log shows traffic between the workstation and the command-and-
control server. Given the company's Dynamic Updates configuration: What is the cause of traffic not matching
a malware signature?

The update schedule is set to "download only" and not to "download and install".

A WildFire subscription is needed to detect malware.

The most recent updates were incremental and not full updates.

The infection occurred during the hourly update window when the malware was identified.

Mark for follow up

Question 25 of 60.

A network administrator needs to view the default action for a specific spyware signature. The administrator
follows the tabs and menus through Objects > Security Profiles > Anti-Spyware, and selects the default Profile.
What should be done next?

Click the Rules tab and then look for rules with "default" in the Action column.
 The default actions will be displayed in the Action column.

Click the Exceptions tab and then click Show all signatures.

Nothing more is necessary. The actions already will be displayed with their default values.

Mark for follow up

Question 26 of 60.

WebandNetTrends Unlimited's new web server software is discovered to produce traffic that the Palo Alto
Networks firewall sees as "unknown-tcp" traffic. Which two configurations would identify the application while
preserving the ability of the firewall to perform content and threat detection on the traffic? (Choose two.)

A custom application with content and threat detection enabled, which includes a signature, identifying
the new web server's traffic

A custom application, with a name properly describing the new web server's purpose

An Application Override policy that assigns the new web server traffic to the built-in application "web-
browsing"

A custom application and an Application Override policy that assigns traffic going to and from the web
server to the custom application

Mark for follow up

Question 27 of 60.

Which statement is true if a Security policy contains two rules that would both match a proposed new session?

The rule with the most restrictive action will be applied.

Both rules will be applied.

Deny rules are evaluated first, and then Accept rules.

The first rule that matches while evaluating the rules from top to bottom is the one that will be applied.

Mark for follow up

Question 28 of 60.

Which mechanism is used to trigger a High Availability (HA) failover in the event the management plane
becomes unresponsive in the active firewall?

Heartbeat Polling

Path Monitoring

Link Monitoring

SNMP Polling
 Mark for follow up

Question 29 of 60.

Which statement is true about how Palo Alto Networks firewalls monitor traffic on the network?

Unlike traditional firewalls that use port or protocol to identify applications, the Palo Alto Networks
firewalls use the application signature (the App-ID technology) to identify applications.

Unlike traditional firewalls that use port or protocol to identify applications, the Palo Alto Networks
firewalls use the Application Override rules to identify and monitor applications.

Traffic logs are generated by policies that have "deny" defined as their action, and will not log any traffic
that matches policies configured to "allow".

Palo Alto Networks firewalls use Content-ID to examine the content of traffic to identify applications in
logs and reports.

Mark for follow up

Question 30 of 60.

A US-CERT notification is published regarding a newly discovered piece of malware. The infection is spread
using spear phishing emails that prompt users to click an HTTP hyperlink, which then downloads the malware.
Palo Alto Networks has just released signatures to detect this malware as a high severity threat and the firewall
is configured to dynamically update to the latest databases automatically. Which component and
implementation will detect and prevent this threat?

Zone Protection Profiles applied to the external zone with Packet Based Attack Protection with action set
to block high-severity threats

Vulnerability Protection Profiles applied to inbound and outbound Security policies with action set to block
high-severity threats

Antivirus Profiles applied to outbound Security policy rules with action set to block high-severity threats

Antivirus Profiles applied to inbound Security policies with action set to block high-severity threats

Mark for follow up

Question 31 of 60.

A client downloads a malicious file from the internet. The Palo Alto firewall has a valid WildFire subscription.
The Security policy rule shown above matches the client HTTP session: Which three actions take place when
the firewall's Content-ID engine detects a virus in the file and the decoder action is set to “block”? (Choose
three.)

The file and session information is sent to WildFire.

 A Data Filtering log entry is generated.

The file download is terminated.

A file is received by the client

A threat log entry is generated.

The client receives a block page.

Mark for follow up

Question 32 of 60.

Which action will allow a firewall administrator to determine which NAT rules have NOT been matched since
the last reboot?

From the CLI, issue the command test nat-policy-match against each configured rule.

In the GUI, select the Highlight Unused Rules option under Policies -> NAT.

From the CLI, issue the command show session all filter nat-rule command.

From the CLI, issue the command show running nat-policy command.

Mark for follow up

Question 33 of 60.

Which interface type provides support for point-to-point protocol over Ethernet (PPPoE)?

Virtual wire

Layer3

Layer2

PPP

Mark for follow up

Question 34 of 60.

A Security Operations Center (SOC) has been provided a list of 10,000 malicious URLs. They were asked not
to share this list outside of the organization. The Chief Information Security Officer has requested that all user
access to these URLs be filtered and blocked immediately to prevent potential breaches. However, the inline
Palo Alto Networks firewall is NOT licensed for URL Filtering. What is an efficient method for blocking access
to these URLs?

Use a script to automatically import each URL domain as an FQDN address object.

Import the URLs to a Custom URL Category and reference the URL Category in a Security policy rule set
to deny.
 Import the URLs to a Dynamic Block List and reference the Dynamic Block List in a Security policy rule
set to deny.

Submit a Bulk Change Request via the Palo Alto Networks Support Portal containing the list of the URLs,
request that the URLs be categorized as “Malware,” and set the action to "block" for the Malware category in a
URL Filtering profile.

Mark for follow up

Question 35 of 60.

A company policy dictates that logs must be retained in their original format for a period of time that would
exceed the space limitations of the Palo Alto Networks firewall’s internal storage. Which two options will allow
the company to meet this requirement? (Choose two.)

External Syslog server

Palo Alto Networks Log Collector

Panorama Virtual Machine with NFS storage

Panorama Virtual Machine with SMB file storage

Mark for follow up

Question 36 of 60.

Where can the oversubscription rate be adjusted on platforms that support NAT oversubscription?

IIn the CLI, by using the command set session offload

In the GUI, under Device -> Setup -> Session -> Session Settings

In CLI configuration mode, by issuing the command set deviceconfig setting nat reserve-ip with the
appropriate argument

In the GUI, by selecting the individual rule name and making the adjustment under the Translated
Address tab

Mark for follow up

Question 37 of 60.

Which function resides on the management plane?

Application ID

System logging

Server response inspection

Content inspection performed in software

 Mark for follow up

Question 38 of 60.

A security engineer has been asked by management to optimize how Palo Alto Networks firewall syslog
messages are forwarded to a syslog receiver. There are currently 20 PA-5060 firewalls, each of which is
configured to forward syslogs individually. The security engineer wants to leverage their two M-100 appliances
to send syslog messages from a single source and already has deployed one in Panorama mode and the other
as a Log Collector. What is the remaining step in this solution?

EnableSyslogAggregation

Configure a Syslog Proxy Profile

Configure Collector Log Forwarding

Configure a Panorama Log Forwarding Profile

Mark for follow up

Question 39 of 60.

Which is a valid selection in the Actions section of a Security Policy rule?

Description

HIP Profiles

Application Default

Log at Session Start

Mark for follow up

Question 40 of 60.

A Management Profile to allow SSH access has been created and applied to interface ethernet1/1. A security
rule with the action "deny" is applied to packets from "any" source zone to "any" destination zone. What will
happen when someone attempts to initiate an SSH connection to ethernet1/1?

SSH access to the interface will be denied because intra-zone traffic is denied.

SSH access to the interface will be allowed because inter-zone traffic is allowed.

SSH access to the interface will be allowed because intra-zone traffic is allowed by default.

SSH access to the interface will be allowed because the Management Profile is applied before the
Security policy.

Mark for follow up

Question 41 of 60.

A user is reporting that they cannot download a PDF file from the internet. Which option will show whether the
downloaded file has been blocked by a Security Profile?

Filter the Data Filtering logs for the user's traffic and the name of the PDF file.

Filter the Traffic logs for all traffic from the user that resulted in a deny action.

Filter the Session Browser for all sessions from the user with the application "adobe".

Filter the System log for "Download Failed" messages.

Mark for follow up

Question 42 of 60.

Company employees have been given access to the GlobalProtect Portal at https:// portal.company.com:
Assume the following: The URL portal.company.com resolves to the external interface of the firewall on the
company's external DNS server and to the internal interface of the firewall on the company's internal DNS
server. The URL gateway1.company.com resolves to the external interface of the firewall on the company's
external DNS server and to the internal interface of the firewall on the company's internal DNS server. The
DNS entry for gateway1 resolves to the internal interface of the firewall on the company's internal DNS server.
The URL resolves both inside and outside the network. This Gateway configuration will have which two
outcomes? (Choose two.)

Clients inside the network will NOT be able to connect to the internal gateway Gateway1.

Clients outside the network will be able to connect to the external gateway Gateway1.

Clients outside the network will NOT be able to connect to the external gateway Gateway1.

Clients inside the network will be able to connect to the internal gateway Gateway1.

Mark for follow up

Question 43 of 60.

Consider this graphic representation of the Threat Monitor report: What does this report display?

It displays the Top 12 Threat types over the last 6 hours.

It display all vulnerabilities found over the past 6 hours.

It displays the Top 10 Threat types over the last 6 hours.

It displays accumulated information about all threats.

 Mark for follow up

Question 44 of 60.

Which public key infrastructure component is required to implement SSL Forward Proxy?

CertificateAuthoritycertificate

Certificate signing request

Online Certificate Status Protocol

Machine certificate

Mark for follow up

Question 45 of 60.

Given the following Security Policy and information about traffic traversing the firewall: Source Address:
192.168.64.10 Source Zone: Trust-L3 - Destination Address: 199.167.55.50 Destination Zone: Untrust-L3
Destination port: 85 - Application: web-browsing. Which rule will match the specified traffic?

Rule number 4

Rule number 3

Rule number 6

Rule number 2

Mark for follow up

Question 46 of 60.

Which Panorama feature allows for aggregated device logs to be forwarded to an external security information
and event management (SIEM) system?

Scheduled Log Aggregation and Forwarding

Device Group Log Forwarding Profiles

Collector Log Forwarding for Collector Groups

Log Forwarding Profile

Mark for follow up

Question 47 of 60.

Why is “Browsing to IP domains” an event that appears in the Botnet report?

IP domains are frequently used by command-and-control servers that have been blocked from becoming
part of either a DNS domain or a Windows domain.

Web browsing to an IP address instead of a URL may indicate an attempt to avoid proper categorization
when traffic passes through a URL Filtering system.

Only a newly-created website could have an IP address but not a URL, and newly- created websites are
statistically more likely to provide command-and-control services that connect to malware.

Web browsing to an IP address is not possible and is an indicator of a possible attempt to tunnel other
applications through TCP port 80.

Mark for follow up

Question 48 of 60.

Which two functions can be performed with a next-generation firewall but NOT with a legacy firewall? (Choose
two.)

Checking for suspicious, but technically compliant, protocol behavior

Creating virtual connections out of UDP traffic

Temporarily allowing an external web server to send inbound packets after an outbound request for a
web page

Inspecting traffic at the application layer

Mark for follow up

Question 49 of 60.

Which item can be configured with IPv6 addresses on a Palo Alto Networks firewall?

OSPFv3

RIPv2

DHCP Server

BGP

Mark for follow up

Question 50 of 60.

Which two external authentication methods can be used with Authentication Profiles in PAN-OS? (Choose
two.)
 NTLM

LDAP

RSH

RADIUS

Mark for follow up

Question 51 of 60.

A company has a Palo Alto Networks firewall configured with the following three zones: Untrust-L3 DMZ Trust-
L3. The company hosts a publicly accessible web application on a server that resides in the Trust-L3 zone.
The web server is associated with the following IP addresses: Web Server Public IP: 2.2.2.1/24 , Web Server
Private IP: 192.168.1.10/24 . The security administrator configures the following two-zone U-Turn NAT rule to
allow users using 10.10.1.0/24 on the "Trust-L3" zone to access the web server using its public IP address in
the Untrust-L3 zone: Which statement is true in this situation?

The rule should be made bi-directional to accommodate the server-to-client flow.

The traffic will be considered intra-zone based on the translated destination zone.

A second rule should be created to accommodate the server-to-client flow.

Source translation is required because the destination address is in the same zone as the source.

Mark for follow up

Question 52 of 60.

Which URL Filtering Security Profile action logs the URL Filtering category to the URL Filtering log?

Alert

Allow

Log

Default

Mark for follow up

Question 53 of 60.

Which x509 attribute is required for "Forward Trust Certificate" to be enabled?

CertificateAuthority

CRL Distribution Point

 OCSP Location

SubjectAlternateName

Mark for follow up

Question 54 of 60.

Which technique can be performed by a next-generation firewall, but NOT by a legacy firewall?

Detecting a mismatched overlapping TCP segment

Inspecting HTTP data streams to detect instances of the POST method

Detecting a spoofed IP address

Allowing some ICMP echo-reply packets by matching them to ICMP echo-request packets

Mark for follow up

Question 55 of 60.

Given the following routing table: Which nexthop(s) would be added to the forwarding information base (FIB)
for the 192.168.93.0/30 network?

10.66.24.88

10.66.24.93

0.0.0.0

10.66.24.88, 10.66.24.93

Mark for follow up

Question 56 of 60.

Which two authentication methods are supported in PAN-OS software when using SSH to manage a device?
(Choose two.)

RADIUS

PublicKeyAuthentication

NTLM

Certificate-basedAuthentication

Mark for follow up

Question 57 of 60.

American Textile Corporation has acquired Fab Fabric Limited. American Textile uses a SIP-based VoIP
phone system, which has been working well through a Palo Alto Networks firewall. However, integrating Fab
Fabric's SIP phone system into American Textile's network has not been successful. The network security
administrator for the combined company determines that the firewall is the cause of the failed phone system
integration. Which action will disable the Application Level Gateway (ALG) firewall feature for the Fab Fabric
phones while not affecting the American Textile Corporation phone system?

Disable ALG in the Security policy that matches the traffic to and from the Fab Fabric phones

Disable ALG for the "sip" application in the Applications sub-menu of the Objects tab.

Create an Application Override policy that assigns traffic to and from the Fab Fabric phones to a custom
application

Create an application override policy that assigns SIP traffic to a custom application.

Mark for follow up

Question 58 of 60.

A Palo Alto Networks firewall is being targeted by a DoS attack from the Internet that is creating a flood of
bogus TCP connections to internal servers behind the firewall. This traffic is allowed by security policies, and
other than creating half-open TCP connections, it is indistinguishable from legitimate inbound traffic. Which
Zone Protection Profile with SYN Flood Protection action, when enabled with the correct threshold, would
mitigate this attack without dropping legitimate traffic?

SYN Cookies applied on the internet-facing zone

SYN Cookies applied on the internal zone

Random Early Drop applied on the internet-facing zone

Random Early Drop applied on the internal zone

Mark for follow up

Question 59 of 60.

In which scenario would an active/active High Availability (HA) deployment be recommended instead of an
active/passive HA pair?

There is a need for the firewalls to load balance the traffic on the network.

There is a potential for asymmetric routing to occur.

There is a need to double the net throughput capacity of the HA pair.

There is a need to load balance the traffic on the network.

Mark for follow up

Question 60 of 60.

A company wants to run their pair of PA-200 firewalls in a High Availability active/passive mode and will be
using HA-Lite. Which capability can be used in this situation?

Link Aggregation

Session Sync

Configuration Sync

Jumbo Frames

Mark for follow up