Is this exam completely free?

Examcademy offers a free preview for every exam, covering around 20% of the total questions. Full access is available with a paid upgrade.

Can I practice IT certification exams from Microsoft, AWS, or CompTIA?

Yes! Examcademy supports a wide range of IT certification exams including Microsoft Azure, AWS Cloud Practitioner, and CompTIA A+ and Security+.

How accurate are the mock exams?

Our mock exams are built and reviewed with the help of AI and community contributions, staying aligned with real-world exam objectives.

Free preview mode

Enjoy the free questions and consider upgrading to gain full access!

PCNSEFree trial

By palo-alto-networks

Verified

25Q per page

Question 76

An Administrator is configuring Authentication Enforcement and they would like to create an exemption rule to exempt a specific group from authentication. Which authentication enforcement object should they select?

A: default-no-captive-portal
B: default-authentication-bypass
C: default-browser-challenge
D: default-web-form

—

Question 77

A bootstrap USB flash drive has been prepared using a Linux workstation to load the initial configuration of a Palo Alto Networks firewall. The USB flash drive was formatted using file system ntfs and the initial configuration is stored in a file named init-cfg.txt.
The contents of init-cfg.txt in the USB flash drive are as follows:

The USB flash drive has been inserted in the firewalls' USB port, and the firewall has been powered on. Upon boot, the firewall fails to begin the bootstrapping process. The failure is caused because:

A: the bootstrap.xml file is a required file, but it is missing
B: nit-cfg.txt is an incorrect filename, the correct filename should be init-cfg.xml
C: The USB must be formatted using the ext4 file system
D: There must be commas between the parameter names and their values instead of the equal symbols
E: The USB drive has been formatted with an unsupported file system

—

Question 78

To more easily reuse templates and template stacks, you can create template variables in place of firewall-specific and appliance-specific IP literals in your configurations.
Which one is the correct configuration?

A: &Panorama
B: @Panorama
C: $Panorama
D: #Panorama

—

Question 79

Decrypted packets from the website https://www.microsoft.com will appear as which application and service within the Traffic log?

A: web-browsing and 443
B: SSL and 80
C: SSL and 443
D: web-browsing and 80

—

Question 80

On the NGFW, how can you generate and block a private key from export and thus harden your security posture and prevent rogue administrators or other bad actors from misusing keys?

A: 1. Select Device > Certificate Management > Certificates > Device > Certificates 2. Import the certificate 3. Select Import Private key 4. Click Generate to generate the new certificate
B: 1. Select Device > Certificates 2. Select Certificate Profile 3. Generate the certificate 4. Select Block Private Key Export
C: 1. Select Device > Certificate Management > Certificates > Device > Certificates 2. Generate the certificate 3. Select Block Private Key Export 4. Click Generate to generate the new certificate
D: 1. Select Device > Certificates 2. Select Certificate Profile 3. Generate the certificate 4. Select Block Private Key Export

—

Question 81

What is the maximum number of samples that can be submitted to WildFire manually per day?

A: 1,000
B: 2,000
C: 5,000
D: 15,000

—

Question 82

What file type upload is supported as part of the basic WildFire service?

A: ELF
B: BAT
C: PE
D: VBS

—

Question 83

An administrator accidentally closed the commit window/screen before the commit was finished.
Which two options could the administrator use to verify the progress or success of that commit task? (Choose two.)

A: Task Manager
B: System Logs
C: Traffic Logs
D: Configuration Logs

—

Question 84

Before an administrator of a VM-500 can enable DoS and zone protection, what actions need to be taken?

A: Create a zone protection profile with flood protection configured to defend an entire egress zone against SYN, ICMP, ICMPv6, UDP, and other IP flood attacks.
B: Add a WildFire subscription to activate DoS and zone protection features.
C: Replace the hardware firewall, because DoS and zone protection are not available with VM-Series systems.
D: Measure and monitor the CPU consumption of the firewall data plane to ensure that each firewall is properly sized to support DoS and zone protection.

—

Question 85

DRAG DROP -
Please match the terms to their corresponding definitions.
Select and Place:

—

Question 86

An organization has recently migrated its infrastructure and configuration to NGFWs, for which Panorama manages the devices. The organization is coming from a
L2-L4 firewall vendor, but wants to use App-ID while identifying policies that are no longer needed.
Which Panorama tool can help this organization?

A: Test Policy Match
B: Application Groups
C: Policy Optimizer
D: Config Audit

—

Question 87

An organization is building a Bootstrap Package to deploy Palo Alto Networks VM-Series firewalls into their AWS tenant. Which two statements are correct regarding the bootstrap package contents? (Choose two.)

A: The bootstrap package is stored on an AFS share or a discrete container file bucket.
B: The bootstrap.xml file allows for automated deployment of VM-Series firewalls with full network and policy configurations.
C: The /config, /content and /software folders are mandatory while the /license and /plugin folders are optional.
D: The init-cfg.txt and bootstrap.xml files are both optional configuration items for the /config folder.
E: The directory structure must include a /config, /content, /software and /license folders.

—

Question 88

Which Panorama objects restrict administrative access to specific device-groups?

A: admin roles
B: authentication profiles
C: templates
D: access domains

—

Question 89

An engineer is planning an SSL decryption implementation.
Which of the following statements is a best practice for SSL decryption?

A: Obtain an enterprise CA-signed certificate for the Forward Trust certificate.
B: Use an enterprise CA-signed certificate for the Forward Untrust certificate.
C: Use the same Forward Trust certificate on all firewalls in the network.
D: Obtain a certificate from a publicly trusted root CA for the Forward Trust certificate.

—

Question 90

Which PAN-OSֲ® policy must you configure to force a user to provide additional credentials before he is allowed to access an internal application that contains highly-sensitive business data?

A: Security policy
B: Decryption policy
C: Authentication policy
D: Application Override policy

—

Question 91

An administrator receives the following error message:
"IKE phase-2 negotiation failed when processing Proxy ID. Received local id 192. 168.33.33/24 type IPv4 address protocol 0 port 0, received remote id
172.16.33.33/24 type IPv4 address protocol 0 port 0."
How should the administrator identify the root cause of this error message?

A: Verify that the IP addresses can be pinged and that routing issues are not causing the connection failure.
B: Check whether the VPN peer on one end is set up correctly using policy-based VPN.
C: In the IKE Gateway configuration, verify that the IP address for each VPN peer is accurate.
D: In the IPSec Crypto profile configuration, verify that PFS is either enabled on both VPN peers or disabled on both VPN peers.

—

Question 92

The following objects and policies are defined in a device group hierarchy.

Dallas-Branch has Dallas-FW as a member of the Dallas-Branch device-group
NYC-DC has NYC-FW as a member of the NYC-DC device-group
What objects and policies will the Dallas-FW receive if "Share Unused Address and Service Objects" is enabled in Panorama?

A: Address Objects -Shared Address1 -Branch Address1 Policies -Shared Policy1 -Branch Policy1
B: Address Objects -Shared Address1 -Shared Address2 -Branch Address1 Policies -Shared Policy1 -Shared Policy2 -Branch Policy1
C: Address Objects -Shared Address1 -Shared Address2 -Branch Address1 -DC Address1 Policies -Shared Policy1 -Shared Policy2 -Branch Policy1
D: Address Objects -Shared Address1 -Shared Address2 -Branch Address1 Policies -Shared Policy1 -Branch Policy1

—

Question 93

An administrator has purchased WildFire subscriptions for 90 firewalls globally.
What should the administrator consider with regards to the WildFire infrastructure?

A: To comply with data privacy regulations, WildFire signatures and verdicts are not shared globally.
B: Palo Alto Networks owns and maintains one global cloud and four WildFire regional clouds.
C: Each WildFire cloud analyzes samples and generates malware signatures and verdicts independently of the other WildFire clouds.
D: The WildFire Global Cloud only provides bare metal analysis.

—

Question 94

A firewall is configured with SSL Forward Proxy decryption and has the following four enterprise certificate authorities (CAs): i. Enterprise-Trusted-CA, which is verified as Forward Trust Certificate (The CA is also installed in the trusted store of the end-user browser and system.) ii. Enterprise-Untrusted-CA, which is verified as Forward Untrust Certificate iii. Enterprise-Intermediate-CA iv. Enterprise-Root-CA, which is verified only as Trusted Root CA
An end-user visits https://www.example-website.com/ with a server certificate Common Name (CN): www.example-website.com. The firewall does the SSL
Forward Proxy decryption for the website and the server certificate is not trusted by the firewall.
The end-user's browser will show that the certificate for www. example-website.com was issued by which of the following?

A: Enterprise-Trusted-CA which is a self-signed CA
B: Enterprise-Root-CA which is a self-signed CA
C: Enterprise-Intermediate-CA which was, in turn, issued by Enterprise-Root-CA
D: Enterprise-Untrusted-CA which is a self-signed CA

—

Question 95

What are three reasons for excluding a site from SSL decryption? (Choose three.)

A: the website is not present in English
B: unsupported ciphers
C: certificate pinning
D: unsupported browser version
E: mutual authentication

—

Question 96

DRAG DROP -
Match each SD-WAN configuration element to the description of that element.
Select and Place:

—

Question 97

When overriding a template configuration locally on a firewall, what should you consider?

A: Panorama will update the template with the overridden value.
B: The firewall template will show that it is out of sync within Panorama.
C: Only Panorama can revert the override.
D: Panorama will lose visibility into the overridden configuration.

—

Question 98

When setting up a security profile, which three items can you use? (Choose three.)

A: Wildfire analysis
B: anti-ransomware
C: antivirus
D: URL filtering
E: decryption profile

—

Question 99

An administrator wants to upgrade a firewall HA pair to PAN-OS 10.1. The firewalls are currently running PAN-OS 8.1.17. Which upgrade path maintains synchronization of the HA session (and prevents network outage)?

A: Upgrade directly to the target major version.
B: Upgrade the HA pair to a base image.
C: Upgrade one major version at a time.
D: Upgrade two major versions at a time.

—

Question 100

What are three types of Decryption Policy rules? (Choose three.)

A: SSL Inbound Inspection
B: SSH Proxy
C: SSL Forward Proxy
D: Decryption Broker
E: Decryption Mirror

—

Page 4 of 25 • Questions 76-100 of 619

←

2 3 4 5 6

→

Free preview mode

Enjoy the free questions and consider upgrading to gain full access!