An engineer is deploying multiple firewalls with common configuration in Panorama. What are two benefits of using nested device groups? (Choose two.)

Inherit settings from the Shared group

Inherit parent Security policy rules and objects

Inherit all Security policy rules and objects

A network security administrator wants to inspect HTTPS traffic from users as it egresses through a firewall to the Internet/Untrust zone from trusted network zones. The security admin wishes to ensure that if users are presented with invalid or untrusted security certificates, the user will see an untrusted certificate warning. What is the best choice for an SSL Forward Untrust certificate?

A self-signed certificate generated on the firewall

A web server certificate signed by the organization’s PKI

A web server certificate signed by an external Certificate Authority

A subordinate Certificate Authority certificate signed by the organization’s PKI

After implementing a new NGFW, a firewall engineer sees a VoIP traffic issue going through the firewall. After troubleshooting, the engineer finds that the firewall performs NAT on the voice packets payload and opens dynamic pinholes for media ports. What can the engineer do to solve the VoIP traffic issue?

Disable ALG under SIP application

Disable ALG under H.323 application

Increase the TCP timeout under H.323 application

Increase the TCP timeout under SIP application

After importing a pre-configured firewall configuration to Panorama, what step is required to ensure a commit/push is successful without duplicating local configurations?

Perform the Export or push Device Config Bundle to the newly managed firewall.

Ensure Force Template Values is checked when pushing configuration.

Push the Template first, then push Device Group to the newly managed firewall.

Push the Device Group first, then push Template to the newly managed firewall.

Which new PAN-OS 11.0 feature supports IPv6 traffic?

DHCPv6 Client with Prefix Delegation

Which three items must be configured to implement application override? (Choose three.)

Application override policy rule

Which three items must be configured to implement application override? (Choose three.)

Application override policy rule

An engineer is configuring a firewall with three interfaces: • MGT connects to a switch with internet access. • Ethernet1/1 connects to an edge router. • Ethernet1/2 connects to a virtualization network. The engineer needs to configure dynamic updates to use a dataplane interface for internet traffic. What should be configured in Setup > Services > Service Route Configuration to allow this traffic?

Set DNS and Palo Alto Networks Services to use the ethernet1/1 source interface.

Set DNS and Palo Alto Networks Services to use the MGT source interface.

Set DNS and Palo Alto Networks Services to use the ethernet1/2 source interface.

Set DDNS and Palo Alto Networks Services to use the MGT source interface.

An organization conducts research on the benefits of leveraging the Web Proxy feature of PAN-OS 11.0. What are two benefits of using an explicit proxy method versus a transparent proxy method? (Choose two.)

It supports the X-Authenticated-User (XAU) header, which contains the authenticated username in the outgoing request.

Explicit proxy allows for easier troubleshooting, since the client browser is aware of the existence of the proxy.

No client configuration is required for explicit proxy, which simplifies the deployment complexity.

Explicit proxy supports interception of traffic using non-standard HTTPS ports.

To ensure that a Security policy has the highest priority, how should an administrator configure a Security policy in the device group hierarchy?

Add the policy in the shared device group as a pre-rule.

Clone the security policy and add it to the other device groups.

Add the policy to the target device group and apply a master device to the device group.

Reference the targeted device’s templates in the target device group.

Based on the graphic, which statement accurately describes the output shown in the Server Monitoring panel?

The User-ID agent is connected to a domain controller labeled lab-client.

The host lab-client has been found by the User-ID agent.

The host lab-client has been found by a domain controller.

The User-ID agent is connected to the firewall labeled lab-client.

A company has recently migrated their branch office’s PA-220s to a centralized Panorama. This Panorama manages a number of PA-7000 Series and PA-5200 Series devices. All device group and template configuration is managed solely within Panorama. They notice that commit times have drastically increased for the PA-220s after the migration. What can they do to reduce commit times?

Disable “Share Unused Address and Service Objects with Devices” in Panorama Settings.

Perform a device group push using the “merge with device candidate config” option.

Update the apps and threat version using device-deployment.

Use “export or push device config bundle” to ensure that the firewall is integrated with the Panorama config.

An administrator notices that an interface configuration has been overridden locally on a firewall. They require all configuration to be managed from Panorama and overrides are not allowed. What is one way the administrator can meet this requirement?

Perform a template commit push from Panorama using the “Force Template Values” option.

Reload the running configuration and perform a Firewall local commit.

Perform a commit force from the CLI of the firewall.

Perform a device-group commit push from Panorama using the “Include Device and Network Templates” option.

Where can a service route be configured for a specific destination IP?

Use Device > Setup > Services > Service Route Configuration > Customize > Destination

Use Network > Virtual Routers, select the Virtual Router > Static Routes > IPv4

Use Device > Setup > Services > Services

Use Device > Setup > Services > Service Route Configuration > Customize > IPv4

Information Security is enforcing group-based policies by using security-event monitoring on Windows User-ID agents for IP-to-User mapping in the network. During the rollout, Information Security identified a gap for users authenticating to their VPN and wireless networks. Root cause analysis showed that users were authenticating via RADIUS and that authentication events were not captured on the domain controllers that were being monitored. Information Security found that authentication events existed on the Identity Management solution (IDM). There did not appear to be direct integration between PAN-OS and the IDM solution. How can Information Security extract and learn IP-to-user mapping information from authentication events for VPN and wireless users?

Configure the integrated User-ID agent on PAN-OS to accept Syslog messages over TLS.

Configure the User-ID XML API on PAN-OS firewalls to pull the authentication events directly from the IDM solution.

Add domain controllers that might be missing to perform security-event monitoring for VPN and wireless users.

Configure the Windows User-ID agents to monitor the VPN concentrators and wireless controllers for IP-to-User mapping.

An engineer creates a set of rules in a Device Group (Panorama) to permit traffic to various services for a specific LDAP user group. What needs to be configured to ensure Panorama can retrieve user and group information for use in these rules?

A service route to the LDAP server

A User-ID agent on the LDAP server

Review the information below. A firewall engineer creates a U-NAT rule to allow users in the trust zone access to a server in the same zone by using an external, public NAT IP for that server. Given the rule below, what change should be made to make sure the NAT works as expected?

Add source Translation to translate original source IP to the firewall eth1/2 interface translation.

Change destination NAT zone to Trust_L3.

Change destination translation to Dynamic IP (with session distribution) using firewall eth1/2 address.

Change Source NAT zone to Untrust_L3.

A firewall engineer reviews the PAN-OS GlobalProtect application and sees that it implicitly uses web-browsing and depends on SSL. When creating a new rule, what is needed to allow the application to resolve dependencies?

Add SSL application to the same rule.

SSL and web-browsing must both be explicitly allowed.

Add SSL and web-browsing applications to the same rule.

Add web-browsing application to the same rule.

An engineer configures a specific service route in an environment with multiple virtual systems instead of using the inherited global service route configuration. What type of service route can be used for this configuration?

Destination-Based Service Route

IPv6 Source or Destination Address

An administrator is receiving complaints about application performance degradation. After checking the ACC, the administrator observes that there is an excessive amount of VoIP traffic. Which three elements should the administrator configure to address this issue? (Choose three.)

A QoS policy for each application

A QoS profile defining traffic classes

QoS on the egress interface for the traffic flows

An Application Override policy for the SIP traffic

QoS on the ingress interface for the traffic flows

What are three tasks that cannot be configured from Panorama by using a template stack? (Choose three.)

Rename a vsys on a multi-vsys firewall

Enable operational modes such as normal mode, multi-vsys mode, or FIPS-CC mode

Change the firewall management IP address

Based on the screenshots above, what is the correct order in which the various rules are deployed to firewalls inside the DATACENTER_DG device group?

shared pre-rules DATACENTER_DG pre-rules - rules configured locally on the firewall DATACENTER_DG post-rules - shared post-rules DATACENTER_DG default rules

shared pre-rules DATACENTER_DG pre-rules - rules configured locally on the firewall DATACENTER_DG post-rules - shared post-rules shared default rules

shared pre-rules DATACENTER_DG pre-rules - rules configured locally on the firewall shared post-rules DATACENTER_DG post-rules - DATACENTER_DG default rules

shared pre-rules DATACENTER_DG pre-rules - rules configured locally on the firewall shared post-rules DATACENTER_DG post-rules - shared default rules

Which operation will impact the performance of the management plane?

Generating a Saas Application report

Enabling packet buffer protection

Why would a traffic log list an application as "not-applicable"?

The firewall denied the traffic before the application match could be performed.

There was not enough application data after the TCP connection was established.

The TCP connection terminated without identifying any application data.

The application is not a known Palo Alto Networks App-ID.

A firewall engineer creates a NAT rule to translate IP address 1.1.1.10 to 192.168.1.10. The engineer also plans to enable DNS rewrite so that the firewall rewrites the IPv4 address in a DNS response based on the original destination IP address and translated destination IP address configured for the rule. The engineer wants the firewall to rewrite a DNS response of 1.1.1.10 to 192.168.1.10. What should the engineer do to complete the configuration?

Enable DNS rewrite under the destination address translation in the Translated Packet section of the NAT rule with the direction Forward.

Create a U-Turn NAT to translate the destination IP address 1.1.1.10 to 192.168.1.10 with the destination port equal to UDP/53.

Enable DNS rewrite under the destination address translation in the Translated Packet section of the NAT rule with the direction Reverse.

Create a U-Turn NAT to translate the destination IP address 192.168.1.10 to 1.1.1.10 with the destination port equal to UDP/53.

In the New App Viewer under Policy Optimizer, what does the compare option for a specific rule allow an administrator to compare?

Applications configured in the rule with applications seen from traffic matching the same rule

Applications configured in the rule with their dependencies

The security rule with any other security rule selected

The running configuration with the candidate configuration of the firewall

Given the following snippet of a WildFire submission log, did the end user successfully download a file?

No, because the action for the wildfire-virus is "reset-both."

Yes, because the final action is set to "allow."

No, because the URL generated an alert.

Yes, because both the web-browsing application and the flash file have the "alert" action.

Which two factors should be considered when sizing a decryption firewall deployment? (Choose two.)

Number of security zones in decryption policies

Mock P C N S E Exam 5

Authored by Steve Brusas

Professional Development

1st - 5th Grade

Used 9+ times

AI Actions

Add similar questions

Adjust reading levels

Convert to real-world scenario

Translate activity

More...

Content View

Student View

75 questions

Show all answers

MULTIPLE CHOICE QUESTION

2 mins • 1 pt

An administrator connects four new remote offices to the corporate data center. The administrator decides to use the Large Scale VPN (LSVPN) feature on the Palo Alto Networks next-generation firewall.
What should the administrator configure in order to connect the sites?

Generic Routing Encapsulation (GRE) Tunnels

GlobalProtect Satellite

SD-WAN

IKE Gateways

Answer explanation

GlobalProtect Satellite—A Palo Alto Networks firewall at a remote site that establishes IPSec tunnels with the gateway(s) at your corporate office(s) for secure access to centralized resources. Configuration on the satellite firewall is minimal, enabling you to quickly and easily scale your VPN as you add new sites.
https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/large-scale-vpn-lsvpn/lsvpn-overview#id6b64ee5f-9e3f-4246-9296-945c25cd6c3b

MULTIPLE CHOICE QUESTION

2 mins • 1 pt

A customer wants to set up a site-to-site VPN using tunnel interfaces.
What format is the correct naming convention for tunnel interfaces?

tun.1025

tunnel.50

vpn.1024

gre1/2

Answer explanation

tunnel is the default name on the setup page, while 50 is the number you assigned for the tunnel... and when you finish creating the tunnel, the wizard adds the default name and assigned number together making it tunnel.50

MULTIPLE CHOICE QUESTION

2 mins • 1 pt

An engineer notices that the tunnel monitoring has been failing for a day and the VPN should have failed over to a backup path.
What part of the network profile configuration should the engineer verify?

Destination IP

Threshold

Action

Interval

Answer explanation

Configure a Monitoring Profile.
Network > Network Profiles > Monitor > Add
Make sure "Fail Over" Option is selected. < Action Settings
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000POO0CAO

MULTIPLE SELECT QUESTION

2 mins • 1 pt

Which three multi-factor authentication methods can be used to authenticate access to the firewall? (Choose three.)

One-time password

User certificate

SMS

Voice

Fingerprint

Answer explanation

Push
An endpoint device (such as a phone or tablet) prompts the user to allow or deny authentication.
Short message service (SMS)
An SMS message on the endpoint device prompts the user to allow or deny authentication. In some cases, the endpoint device provides a code that the user must enter in the MFA login page.
Voice
An automated phone call prompts the user to authenticate by pressing a key on the phone or entering a code in the MFA login page.
One-time password (OTP)
An endpoint device provides an automatically generated alphanumeric string, which the user enters in the MFA login page to enable authentication for a single transaction or session.

MULTIPLE SELECT QUESTION

2 mins • 1 pt

Which two profiles should be configured when sharing tags from threat logs with a remote User-ID agent? (Choose two.)

LDAP

Log Ingestion

HTTP

Log Forwarding

Answer explanation

>Threat logs, create a log forwarding profile to define how you want the firewall or Panorama to handle logs.
>Configure an HTTP server profile to forward logs to a remote User-ID agent.
> Select the log forwarding profile you created then select this server profile as the HTTP server profile
https://docs.paloaltonetworks.com/pan-os/11-0/pan-os-admin/policy/use-auto-tagging-to-automate-security-actions

MULTIPLE CHOICE QUESTION

2 mins • 1 pt

What is the PAN-OS NPTv6 feature based on RFC 6296 used for?

Application port number translation

IPv6-to-IPv6 network prefix translation

Stateful translation to provide better security

IPv6-to-IPv6 host portion translation

Answer explanation

https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-networking-admin/nptv6/how-nptv6-works

MULTIPLE SELECT QUESTION

2 mins • 1 pt

An administrator has been tasked with deploying SSL Forward Proxy.
Which two types of certificates are used to decrypt the traffic? (Choose two.)

Device certificate

Subordinate CA from the administrator’s own PKI infrastructure

Self-signed root CA

External CA certificate

Access all questions and much more by creating a free account

Create resources

Host any resource

Get auto-graded reports

Continue with Google

Continue with Email

Continue with Classlink

Continue with Clever

or continue with

Microsoft

Apple

Others

Already have an account?

Similar Resources on Wayground

71 questions

RMP - 7. FINAL PREPARATION

Quiz

•

1st Grade

80 questions

Uztura higiēna

Quiz

•

1st Grade

Popular Resources on Wayground

15 questions

Fractions on a Number Line

Quiz

•

3rd Grade

10 questions

Probability Practice

Quiz

•

4th Grade

15 questions

Probability on Number LIne

Quiz

•

4th Grade

20 questions

Equivalent Fractions

Quiz

•

3rd Grade

25 questions

Multiplication Facts

Quiz

•

5th Grade

$fractions$

22 questions

fractions

Quiz

•

3rd Grade

6 questions

Appropriate Chromebook Usage

Lesson

•

7th Grade

10 questions

Greek Bases tele and phon

Quiz

•

6th - 8th Grade

Discover more resources for Professional Development

10 questions

Probability Practice

Quiz

•

4th Grade

15 questions

Fractions on a Number Line

Quiz

•

3rd Grade

20 questions

Equivalent Fractions

Quiz

•

3rd Grade

15 questions

Probability on Number LIne

Quiz

•

4th Grade

25 questions

Multiplication Facts

Quiz

•

5th Grade

$fractions$

22 questions

fractions

Quiz

•

3rd Grade

20 questions

Main Idea and Details

Quiz

•

5th Grade

15 questions

Equivalent Fractions

Quiz

•

4th Grade

Mock P C N S E Exam 5

An administrator connects four new remote offices to the corporate data center. The administrator decides to use the Large Scale VPN (LSVPN) feature on the Palo Alto Networks next-generation firewall.
What should the administrator configure in order to connect the sites?

A customer wants to set up a site-to-site VPN using tunnel interfaces.
What format is the correct naming convention for tunnel interfaces?

tunnel is the default name on the setup page, while 50 is the number you assigned for the tunnel... and when you finish creating the tunnel, the wizard adds the default name and assigned number together making it tunnel.50

An engineer notices that the tunnel monitoring has been failing for a day and the VPN should have failed over to a backup path.
What part of the network profile configuration should the engineer verify?

Configure a Monitoring Profile.
Network > Network Profiles > Monitor > Add
Make sure "Fail Over" Option is selected. < Action Settings
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000POO0CAO

Which three multi-factor authentication methods can be used to authenticate access to the firewall? (Choose three.)

Which two profiles should be configured when sharing tags from threat logs with a remote User-ID agent? (Choose two.)

What is the PAN-OS NPTv6 feature based on RFC 6296 used for?

https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-networking-admin/nptv6/how-nptv6-works

An administrator has been tasked with deploying SSL Forward Proxy.
Which two types of certificates are used to decrypt the traffic? (Choose two.)

An engineer is deploying multiple firewalls with common configuration in Panorama.
What are two benefits of using nested device groups? (Choose two.)

https://docs.paloaltonetworks.com/panorama/9-1/panorama-admin/panorama-overview/centralized-firewall-configuration-and-update-management/device-groups/device-group-hierarchy

The only acceptable answer is A. You don't want to pay for the certificate, you don't want it to have a chain of trust and you don't want it trusted anywhere in your network. It's an 'Untrust' certificate after all.

Access all questions and much more by creating a free account

Similar Resources on Wayground

Popular Resources on Wayground

Discover more resources for Professional Development

Mock P C N S E Exam 5

An administrator connects four new remote offices to the corporate data center. The administrator decides to use the Large Scale VPN (LSVPN) feature on the Palo Alto Networks next-generation firewall.What should the administrator configure in order to connect the sites?

A customer wants to set up a site-to-site VPN using tunnel interfaces.What format is the correct naming convention for tunnel interfaces?

tunnel is the default name on the setup page, while 50 is the number you assigned for the tunnel... and when you finish creating the tunnel, the wizard adds the default name and assigned number together making it tunnel.50

An engineer notices that the tunnel monitoring has been failing for a day and the VPN should have failed over to a backup path.What part of the network profile configuration should the engineer verify?

Configure a Monitoring Profile.Network > Network Profiles > Monitor > AddMake sure "Fail Over" Option is selected. < Action Settingshttps://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000POO0CAO

Which three multi-factor authentication methods can be used to authenticate access to the firewall? (Choose three.)

Which two profiles should be configured when sharing tags from threat logs with a remote User-ID agent? (Choose two.)

What is the PAN-OS NPTv6 feature based on RFC 6296 used for?

https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-networking-admin/nptv6/how-nptv6-works

An administrator has been tasked with deploying SSL Forward Proxy.Which two types of certificates are used to decrypt the traffic? (Choose two.)

An engineer is deploying multiple firewalls with common configuration in Panorama.What are two benefits of using nested device groups? (Choose two.)

https://docs.paloaltonetworks.com/panorama/9-1/panorama-admin/panorama-overview/centralized-firewall-configuration-and-update-management/device-groups/device-group-hierarchy

The only acceptable answer is A. You don't want to pay for the certificate, you don't want it to have a chain of trust and you don't want it trusted anywhere in your network. It's an 'Untrust' certificate after all.

Access all questions and much more by creating a free account

Similar Resources on Wayground

Popular Resources on Wayground

Discover more resources for Professional Development

An administrator connects four new remote offices to the corporate data center. The administrator decides to use the Large Scale VPN (LSVPN) feature on the Palo Alto Networks next-generation firewall.
What should the administrator configure in order to connect the sites?

A customer wants to set up a site-to-site VPN using tunnel interfaces.
What format is the correct naming convention for tunnel interfaces?

An engineer notices that the tunnel monitoring has been failing for a day and the VPN should have failed over to a backup path.
What part of the network profile configuration should the engineer verify?

Configure a Monitoring Profile.
Network > Network Profiles > Monitor > Add
Make sure "Fail Over" Option is selected. < Action Settings
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000POO0CAO

An administrator has been tasked with deploying SSL Forward Proxy.
Which two types of certificates are used to decrypt the traffic? (Choose two.)

An engineer is deploying multiple firewalls with common configuration in Panorama.
What are two benefits of using nested device groups? (Choose two.)