Free preview mode

Enjoy the free questions and consider upgrading to gain full access!

PCNSEFree trialFree trial

By palo-alto-networks
Aug, 2025

Verified

25Q per page

Question 51

How does Panorama prompt VMWare NSX to quarantine an infected VM?

  • A: HTTP Server Profile
  • B: Syslog Server Profile
  • C: Email Server Profile
  • D: SNMP Server Profile

Question 52

An administrator accidentally closed the commit window/screen before the commit was finished. Which two options could the administrator use to verify the progress or success of that commit task? (Choose two.)
A.

Image 1

B.

Image 2

C.

Image 3

D.

Image 4

Question 53

Which two actions would be part of an automatic solution that would block sites with untrusted certificates without enabling SSL Forward Proxy? (Choose two.)

  • A: Create a no-decrypt Decryption Policy rule.
  • B: Configure a Dynamic Address Group for untrusted sites.
  • C: Create a Security Policy rule with a vulnerability Security Profile attached.
  • D: Enable the ג€Block sessions with untrusted issuersג€ setting.

Question 54

An administrator is defining protection settings on the Palo Alto Networks NGFW to guard against resource exhaustion. When platform utilization is considered, which steps must the administrator take to configure and apply packet buffer protection?

  • A: Enable and configure the Packet Buffer Protection thresholds. Enable Packet Buffer Protection per ingress zone.
  • B: Enable and then configure Packet Buffer thresholds. Enable Interface Buffer protection.
  • C: Create and Apply Zone Protection Profiles in all ingress zones. Enable Packet Buffer Protection per ingress zone.
  • D: Configure and apply Zone Protection Profiles for all egress zones. Enable Packet Buffer Protection per egress zone.
  • E: Enable per-vsys Session Threshold alerts and triggers for Packet Buffer Limits. Enable Zone Buffer Protection per zone.

Question 55

What is the purpose of the firewall decryption broker?

  • A: decrypt SSL traffic and then send it as cleartext to a security chain of inspection tools.
  • B: force decryption of previously unknown cipher suites
  • C: reduce SSL traffic to a weaker cipher before sending it to a security chain of inspection tools.
  • D: inspect traffic within IPsec tunnels

Question 56

SAML SLO is supported for which two firewall features? (Choose two.)

  • A: GlobalProtect Portal
  • B: CaptivePortal
  • C: WebUI
  • D: CLI

Question 57

Which two virtualization platforms officially support the deployment of Palo Alto Networks VM-Series firewalls? (Choose two.)

  • A: Red Hat Enterprise Virtualization (RHEV)
  • B: Kernel Virtualization Module (KVM)
  • C: Boot Strap Virtualization Module (BSVM)
  • D: Microsoft Hyper-V

Question 58

What are the two behavior differences between Highlight Unused Rules and the Rule Usage Hit counter when a firewall is rebooted? (Choose two.)

  • A: Rule Usage Hit counter will not be reset.
  • B: Highlight Unused Rules will highlight all rules.
  • C: Highlight Unused Rules will highlight zero rules.
  • D: Rule Usage Hit counter will reset.

Question 59

Which is not a valid reason for receiving a decrypt-cert-validation error?

  • A: Unsupported HSM
  • B: Unknown certificate status
  • C: Client authentication
  • D: Untrusted issuer

Question 60

In the following image from Panorama, why are some values shown in red?

Image 1
  • A: sg2 session count is the lowest compared to the other managed devices.
  • B: us3 has a logging rate that deviates from the administrator-configured thresholds.
  • C: uk3 has a logging rate that deviates from the seven-day calculated baseline.
  • D: sg2 has misconfigured session thresholds.

Question 61

The firewall is not downloading IP addresses from MineMeld. Based on the image, what most likely is wrong?

Image 1
  • A: A Certificate Profile that contains the client certificate needs to be selected.
  • B: The source address supports only files hosted with an ftp://<address/file>.
  • C: External Dynamic Lists do not support SSL connections.
  • D: A Certificate Profile that contains the CA certificate needs to be selected.

Question 62

Which three split tunnel methods are supported by a GlobalProtect Gateway? (Choose three.)

  • A: video streaming application
  • B: Client Application Process
  • C: Destination Domain
  • D: Source Domain
  • E: Destination user/group
  • F: URL Category

Question 63

Which two are valid ACC GlobalProtect Activity tab widgets? (Choose two.)

  • A: Successful GlobalProtect Deployed Activity
  • B: GlobalProtect Deployment Activity
  • C: Successful GlobalProtect Connection Activity
  • D: GlobalProtect Quarantine Activity

Question 64

Which two features can be used to tag a username so that it is included in a dynamic user group? (Choose two.)

  • A: log forwarding auto-tagging
  • B: XML API
  • C: GlobalProtect agent
  • D: User-ID Windows-based agent

Question 65

SD-WAN is designed to support which two network topology types? (Choose two.)

  • A: point-to-point
  • B: hub-and-spoke
  • C: full-mesh
  • D: ring

Question 66

Which option describes the operation of the automatic commit recovery feature?

  • A: It enables a firewall to revert to the previous configuration if rule shadowing is detected.
  • B: It enables a firewall to revert to the previous configuration if application dependency errors are found.
  • C: It enables a firewall to revert to the previous configuration if a commit causes HA partner connectivity failure.
  • D: It enables a firewall to revert to the previous configuration if a commit causes Panorama connectivity failure.

Question 67

Which three items are important considerations during SD-WAN configuration planning? (Choose three.)

  • A: branch and hub locations
  • B: link requirements
  • C: the name of the ISP
  • D: IP Addresses

Question 68

Which User-ID method maps IP addresses to usernames for users connecting through an 802.1x-enabled wireless network device that has no native integration with PAN-OSֲ® software?

  • A: XML API
  • B: Port Mapping
  • C: Client Probing
  • D: Server Monitoring

Question 69

Starting with PAN-OS version 9.1, application dependency information is now reported in which two locations? (Choose two.)

  • A: on the App Dependency tab in the Commit Status window
  • B: on the Policy Optimizer's Rule Usage page
  • C: on the Application tab in the Security Policy Rule creation window
  • D: on the Objects > Applications browser pages

Question 70

Which two events trigger the operation of automatic commit recovery? (Choose two.)

  • A: when an aggregate Ethernet interface component fails
  • B: when Panorama pushes a configuration
  • C: when a firewall performs a local commit
  • D: when a firewall HA pair fails over

Question 71

Panorama provides which two SD-WAN functions? (Choose two.)

  • A: network monitoring
  • B: control plane
  • C: data plane
  • D: physical network links

Question 72

Updates to dynamic user group membership are automatic therefore using dynamic user groups instead of static group objects allows you to:

  • A: respond to changes in user behaviour or potential threats using manual policy changes
  • B: respond to changes in user behaviour or potential threats without manual policy changes
  • C: respond to changes in user behaviour or potential threats without automatic policy changes
  • D: respond to changes in user behaviour and confirmed threats with manual policy changes

Question 73

How can an administrator configure the firewall to automatically quarantine a device using GlobalProtect?

  • A: by adding the device's Host ID to a quarantine list and configure GlobalProtect to prevent users from connecting to the GlobalProtect gateway from a quarantined device
  • B: by exporting the list of quarantined devices to a pdf or csv file by selecting PDF/CSV at the bottom of the Device Quarantine page and leveraging the appropriate XSOAR playbook
  • C: by using security policies, log forwarding profiles, and log settings
  • D: there is no native auto-quarantine feature so a custom script would need to be leveraged

Question 74

To protect your firewall and network from single source denial of service (DoS) attacks that can overwhelm its packet buffer and cause legitimate traffic to drop, you can configure:

  • A: PBP (Protocol Based Protection)
  • B: BGP (Border Gateway Protocol)
  • C: PGP (Packet Gateway Protocol)
  • D: PBP (Packet Buffer Protection)

Question 75

A bootstrap USB flash drive has been prepared using a Windows workstation to load the initial configuration of a firewall that was previously being used in a lab.
The USB flash drive was formatted using file system FAT32 and the initial configuration is stored in a file named init-cfg.txt. The firewall is currently running PAN-
OS 10.0 and using a lab config. The contents of init-cfg.txt in the USB flash drive are as follows:

Image 1

The USB flash drive has been inserted in the firewalls' USB port, and the firewall has been restarted using command: > request restart system
Upon restart, the firewall fails to begin the bootstrapping process. The failure is caused because:

  • A: The bootstrap.xml file is a required file, but it is missing
  • B: Firewall must be in factory default state or have all private data deleted for bootstrapping
  • C: The hostname is a required parameter, but it is missing in init-cfg.txt
  • D: The USB must be formatted using the ext3 file system. FAT32 is not supported
Page 3 of 25 • Questions 51-75 of 619
12345

Free preview mode

Enjoy the free questions and consider upgrading to gain full access!