PCNSEFree trialFree trial

By palo-alto-networks
Aug, 2025

Verified

25Q per page

Question 1

Which CLI command is used to simulate traffic going through the firewall and determine which Security policy rule, NAT translation, static route, or PBF rule will be triggered by the traffic?

  • A: check
  • B: find
  • C: test
  • D: sim

Question 2

If a template stack is assigned to a device and the stack includes three templates with overlapping settings, which settings are published to the device when the template stack is pushed?

  • A: The settings assigned to the template that is on top of the stack.
  • B: The administrator will be promoted to choose the settings for that chosen firewall.
  • C: All the settings configured in all templates.
  • D: Depending on the firewall location, Panorama decides with settings to send.

Question 3

View the GlobalProtect configuration screen capture.
What is the purpose of this configuration?

Image 1
  • A: It configures the tunnel address of all internal clients to an IP address range starting at 192.168.10.1.
  • B: It forces an internal client to connect to an internal gateway at IP address 192.168.10.1.
  • C: It enables a client to perform a reverse DNS lookup on 192.168.10.1 to detect that it is an internal client.
  • D: It forces the firewall to perform a dynamic DNS update, which adds the internal gateway's hostname and IP address to the DNS server.

Question 4

Which three user authentication services can be modified to provide the Palo Alto Networks NGFW with both usernames and role names? (Choose three.)

  • A: TACACS+
  • B: Kerberos
  • C: PAP
  • D: LDAP
  • E: SAML
  • F: RADIUS

Question 5

What is exchanged through the HA2 link?

  • A: hello heartbeats
  • B: User-ID information
  • C: session synchronization
  • D: HA state information

Question 6

Which prerequisite must be satisfied before creating an SSH proxy Decryption policy?

  • A: Both SSH keys and SSL certificates must be generated.
  • B: No prerequisites are required.
  • C: SSH keys must be manually generated.
  • D: SSL certificates must be generated.

Question 7

A customer wants to combine multiple Ethernet interfaces into a single virtual interface using link aggregation.
Which two formats are correct for naming aggregate interfaces? (Choose two.)

  • A: ae.8
  • B: aggregate.1
  • C: ae.1
  • D: aggregate.8

Question 8

Which three authentication factors does PAN-OSֲ® software support for MFA? (Choose three.)

  • A: Push
  • B: Pull
  • C: Okta Adaptive
  • D: Voice
  • E: SMS

Question 9

VPN traffic intended for an administrator's firewall is being maliciously intercepted and retransmitted by the interceptor.
When creating a VPN tunnel, which protection profile can be enabled to prevent this malicious behavior?

  • A: Zone Protection
  • B: Replay
  • C: Web Application
  • D: DoS Protection

Question 10

Which Zone Pair and Rule Type will allow a successful connection for a user on the Internet zone to a web server hosted on the DMZ zone? The web server is reachable using a Destination NAT policy in the Palo Alto Networks firewall.
A.

Image 1

B.

Image 2

C.

Image 3

D.

Image 4

Question 11

An administrator has configured a QoS policy rule and a QoS Profile that limits the maximum allowable bandwidth for the YouTube application. However, YouTube is consuming more than the maximum bandwidth allotment configured.
Which configuration step needs to be configured to enable QoS?

  • A: Enable QoS interface
  • B: Enable QoS in the Interface Management Profile
  • C: Enable QoS Data Filtering Profile
  • D: Enable QoS monitor

Question 12

Which log file can be used to identify SSL decryption failures?

  • A: Traffic
  • B: ACC
  • C: Configuration
  • D: Threats

Question 13

Which method will dynamically register tags on the Palo Alto Networks NGFW?

  • A: Restful API or the VMware API on the firewall or on the User-ID agent or the ready-only domain controller (RODC)
  • B: Restful API or the VMware API on the firewall or on the User-ID agent
  • C: XML API or the VMware API on the firewall or on the User-ID agent or the CLI
  • D: XML API or the VM Monitoring agent on the NGFW or on the User-ID agent

Question 14

A customer wants to set up a site-to-site VPN using tunnel interfaces.
Which two formats are correct for naming tunnel interfaces? (Choose two.)

  • A: tunnel.1
  • B: vpn-tunnel.1
  • C: tunnel.1025
  • D: vpn-tunnel.1024

Question 15

Based on the following image, what is the correct path of root, intermediate, and end-user certificate?

Image 1
  • A: Palo Alto Networks > Symantec > VeriSign
  • B: VeriSign > Symantec > Palo Alto Networks
  • C: Symantec > VeriSign > Palo Alto Networks
  • D: VeriSign > Palo Alto Networks > Symantec

Question 16

An administrator wants a new Palo Alto Networks NGFW to obtain automatic application updates daily, so it is configured to use a scheduler for the application database. Unfortunately, they required the management network to be isolated so that it cannot reach the Internet.
Which configuration will enable the firewall to download and install application updates automatically?

  • A: Download and install application updates cannot be done automatically if the MGT port cannot reach the Internet.
  • B: Configure a service route for Palo Alto Networks Services that uses a dataplane interface that can route traffic to the Internet, and create a Security policy rule to allow the traffic from that interface to the update servers if necessary.
  • C: Configure a Policy Based Forwarding policy rule for the update server IP address so that traffic sourced from the management interfaced destined for the update servers goes out of the interface acting as your Internet connection.
  • D: Configure a Security policy rule to allow all traffic to and from the update servers.

Question 17

A company wants to install a NGFW firewall between two core switches on a VLAN trunk link. They need to assign each VLAN to its own zone and to assign untagged (native) traffic to its own zone.
Which option differentiates multiple VLANs into separate zones?

  • A: Create V-Wire objects with two V-Wire interfaces and define a range of ג€0-4096ג€ in the ג€Tag Allowedג€ field of the V-Wire object.
  • B: Create V-Wire objects with two V-Wire subinterfaces and assign only a single VLAN ID to the ג€Tag Allowedג€ field of the V-Wire object. Repeat for every additional VLAN and use a VLAN ID of 0 for untagged traffic. Assign each interface/subinterface to a unique zone.
  • C: Create Layer 3 subinterfaces that are each assigned to a single VLAN ID and a common virtual router. The physical Layer 3 interface would handle untagged traffic. Assign each interface/subinterface to a unique zone. Do not assign any interface an IP address.
  • D: Create VLAN objects for each VLAN and assign VLAN interfaces matching each VLAN ID. Repeat for every additional VLAN and use a VLAN ID of 0 for untagged traffic. Assign each interface/subinterface to a unique zone.

Question 18

Which data flow describes redistribution of user mappings?

  • A: User-ID agent to firewall
  • B: Domain Controller to User-ID agent
  • C: User-ID agent to Panorama
  • D: firewall to firewall

Question 19

Where can an administrator see both the management plane and data plane CPU utilization in the WebUI?

  • A: System Utilization log
  • B: System log
  • C: Resources widget
  • D: CPU Utilization widget

Question 20

Which four NGFW multi-factor authentication factors are supported by PAN-OSֲ®? (Choose four.)

  • A: Short message service
  • B: Push
  • C: User logon
  • D: Voice
  • E: SSH key
  • F: One-Time Password

Question 21

Which two features does PAN-OSֲ® software use to identify applications? (Choose two.)

  • A: transaction characteristics
  • B: session number
  • C: port number
  • D: application layer payload

Question 22

An administrator wants to upgrade a firewall from PAN-OSֲ® 9.1 to PAN-OSֲ® 10.0. The firewall is not a part of an HA pair.
What needs to be updated first?

  • A: Applications and Threats
  • B: XML Agent
  • C: WildFire
  • D: PAN-OS Upgrade Agent

Question 23

When backing up and saving configuration files, what is achieved using only the firewall and is not available in Panorama?

  • A: Load configuration version
  • B: Save candidate config
  • C: Export device state
  • D: Load named configuration snapshot

Question 24

How does an administrator schedule an Applications and Threats dynamic update while delaying installation of the update for a certain amount of time?

  • A: Configure the option for ג€Thresholdג€.
  • B: Disable automatic updates during weekdays.
  • C: Automatically ג€download onlyג€ and then install Applications and Threats later, after the administrator approves the update.
  • D: Automatically ג€download and installג€ but with the ג€disable new applicationsג€ option used.

Question 25

Which two settings can be configured only locally on the firewall and not pushed from a Panorama template or template stack? (Choose two.)

  • A: HA1 IP Address
  • B: Master Key
  • C: Zone Protection Profile
  • D: Network Interface Type
Page 1 of 25 • Questions 1-25 of 619
12345

Free preview mode

Enjoy the free questions and consider upgrading to gain full access!