Free preview mode

Enjoy the free questions and consider upgrading to gain full access!

PCNSEFree trialFree trial

By palo-alto-networks
Aug, 2025

Verified

25Q per page

Question 26

An administrator just submitted a newly found piece of spyware for WildFire analysis. The spyware passively monitors behavior without the user's knowledge.
What is the expected verdict from WildFire?

  • A: Malware
  • B: Grayware
  • C: Phishing
  • D: Spyware

Question 27

When configuring the firewall for packet capture, what are the valid stage types?

  • A: receive, management, transmit, and non-syn
  • B: receive, management, transmit, and drop
  • C: receive, firewall, send, and non-syn
  • D: receive, firewall, transmit, and drop

Question 28

Which operation will impact the performance of the management plane?

  • A: DoS protection
  • B: WildFire submissions
  • C: generating a SaaS Application report
  • D: decrypting SSL sessions

Question 29

Which User-ID method maps IP addresses to usernames for users connecting through a web proxy that has already authenticated the user?

  • A: syslog listening
  • B: server monitoring
  • C: client probing
  • D: port mapping

Question 30

The firewall determines if a packet is the first packet of a new session or if a packet is part of an existing session using which kind of match?

  • A: 6-tuple match: Source IP Address, Destination IP Address, Source Port, Destination Port, Protocol, and Source Security Zone
  • B: 5-tuple match: Source IP Address, Destination IP Address, Source Port, Destination Port, Protocol
  • C: 7-tuple match: Source IP Address, Destination IP Address, Source Port, Destination Port, Source User, URL Category, and Source Security Zone
  • D: 9-tuple match: Source IP Address, Destination IP Address, Source Port, Destination Port, Source User, Source Security Zone, Destination Security Zone, Application, and URL Category

Question 31

Which GlobalProtect Client connect method requires the distribution and use of machine certificates?

  • A: At-boot
  • B: Pre-logon
  • C: User-logon (Always on)
  • D: On-demand

Question 32

Which feature can provide NGFWs with User-ID mapping information?

  • A: Web Captcha
  • B: Native 802.1q authentication
  • C: GlobalProtect
  • D: Native 802.1x authentication

Question 33

Which Panorama administrator types require the configuration of at least one access domain? (Choose two.)

  • A: Role Based
  • B: Custom Panorama Admin
  • C: Device Group
  • D: Dynamic
  • E: Template Admin

Question 34

Which option enables a Palo Alto Networks NGFW administrator to schedule Application and Threat updates while applying only new content-IDs to traffic?

  • A: Select download-and-install
  • B: Select download-only
  • C: Select download-and-install, with ג€Disable new apps in content updateג€ selected
  • D: Select disable application updates and select ג€Install only Threat updatesג€

Question 35

To connect the Palo Alto Networks firewall to AutoFocus, which setting must be enabled?

  • A: Device>Setup>Services>AutoFocus
  • B: Device> Setup>Management >AutoFocus
  • C: AutoFocus is enabled by default on the Palo Alto Networks NGFW
  • D: Device>Setup>WildFire>AutoFocus
  • E: Device>Setup> Management> Logging and Reporting Settings

Question 36

Which is the maximum number of samples that can be submitted to WildFire per day, based on a WildFire subscription?

  • A: 10,000
  • B: 15,000
  • C: 7,500
  • D: 5,000

Question 37

In which two types of deployment is active/active HA configuration supported? (Choose two.)

  • A: Layer 3 mode
  • B: TAP mode
  • C: Virtual Wire mode
  • D: Layer 2 mode

Question 38

For which two reasons would a firewall discard a packet as part of the packet flow sequence? (Choose two.)

  • A: ingress processing errors
  • B: rule match with action ג€denyג€
  • C: rule match with action ג€allowג€
  • D: equal-cost multipath

Question 39

Which logs enable a firewall administrator to determine whether a session was decrypted?

  • A: Traffic
  • B: Security Policy
  • C: Decryption
  • D: Correlated Event

Question 40

An administrator needs to upgrade an NGFW to the most current version of PAN-OSֲ® software. The following is occurring:
✑ Firewall has internet connectivity through e 1/1.
✑ Default security rules and security rules allowing all SSL and web-browsing traffic to and from any zone.
✑ Service route is configured, sourcing update traffic from e1/1.
✑ A communication error appears in the System logs when updates are performed.
✑ Download does not complete.
What must be configured to enable the firewall to download the current version of PAN-OS software?

  • A: Static route pointing application PaloAlto-updates to the update servers
  • B: Security policy rule allowing PaloAlto-updates as the application
  • C: Scheduler for timed downloads of PAN-OS software
  • D: DNS settings for the firewall to use for resolution

Question 41

A client has a sensitive application server in their data center and is particularly concerned about session flooding because of denial-of-service attacks.
How can the Palo Alto Networks NGFW be configured to specifically protect this server against session floods originating from a single IP address?

  • A: Add an Anti-Spyware Profile to block attacking IP address
  • B: Define a custom App-ID to ensure that only legitimate application traffic reaches the server
  • C: Add QoS Profiles to throttle incoming requests
  • D: Add a tuned DoS Protection Profile

Question 42

An administrator deploys PA-500 NGFWs as an active/passive high availability pair. The devices are not participating in dynamic routing, and preemption is disabled.
What must be verified to upgrade the firewalls to the most recent version of PAN-OSֲ® software?

  • A: Antivirus update package.
  • B: Applications and Threats update package.
  • C: User-ID agent.
  • D: WildFire update package.

Question 43

A firewall administrator has been asked to configure a Palo Alto Networks NGFW to prevent against compromised hosts trying to phone-home or beacon out to external command-and-control (C2) servers.
Which Security Profile type will prevent these behaviors?

  • A: Anti-Spyware
  • B: WildFire
  • C: Vulnerability Protection
  • D: Antivirus

Question 44

What should an administrator consider when planning to revert Panorama to a pre-PAN-OS 8.1 version?

  • A: Panorama cannot be reverted to an earlier PAN-OS release if variables are used in templates or template stacks.
  • B: An administrator must use the Expedition tool to adapt the configuration to the pre-PAN-OS 8.1 state.
  • C: When Panorama is reverted to an earlier PAN-OS release, variables used in templates or template stacks will be removed automatically.
  • D: Administrators need to manually update variable characters to those used in pre-PAN-OS 8.1.

Question 45

Which two methods can be configured to validate the revocation status of a certificate? (Choose two.)

  • A: CRL
  • B: CRT
  • C: OCSP
  • D: Cert-Validation-Profile
  • E: SSL/TLS Service Profile

Question 46

An administrator encountered problems with inbound decryption. Which option should the administrator investigate as part of triage?

  • A: Security policy rule allowing SSL to the target server
  • B: Firewall connectivity to a CRL
  • C: Root certificate imported into the firewall with ג€Trustג€ enabled
  • D: Importation of a certificate from an HSM

Question 47

Which administrative authentication method supports authorization by an external service?

  • A: Certificates
  • B: LDAP
  • C: RADIUS
  • D: SSH keys

Question 48

Which three file types can be forwarded to WildFire for analysis as a part of the basic WildFire service? (Choose three.)

  • A: .dll
  • B: .exe
  • C: .fon
  • D: .apk
  • E: .pdf
  • F: .jar

Question 49

An administrator has been asked to configure active/active HA for a pair of firewalls. The firewalls use Layer 3 interfaces to send traffic to a single gateway IP for the pair.
Which configuration will enable this HA scenario?

  • A: The two firewalls will share a single floating IP and will use gratuitous ARP to share the floating IP.
  • B: Each firewall will have a separate floating IP, and priority will determine which firewall has the primary IP.
  • C: The firewalls do not use floating IPs in active/active HA.
  • D: The firewalls will share the same interface IP address, and device 1 will use the floating IP if device 0 fails.

Question 50

Which version of GlobalProtect supports split tunneling based on destination domain, client process, and HTTP/HTTPS video streaming application?

  • A: GlobalProtect version 4.0 with PAN-OS 8.1
  • B: GlobalProtect version 4.1 with PAN-OS 8.1
  • C: GlobalProtect version 4.1 with PAN-OS 8.0
  • D: GlobalProtect version 4.0 with PAN-OS 8.0
Page 2 of 25 • Questions 26-50 of 619
12345

Free preview mode

Enjoy the free questions and consider upgrading to gain full access!