An engineer has been given approval to upgrade their environment to the latest of PAN-OS.
The environment consists of both physical and virtual firewalls, a virtual Panorama HA pair, and virtual log collectors.
What is the recommended order of operational steps when upgrading?
A. Upgrade the firewalls, upgrade log collectors, upgrade Panorama
B. Upgrade the firewalls, upgrade Panorama, upgrade the log collectors
C. Upgrade the log collectors, upgrade the firewalls, upgrade Panorama
D. Upgrade Panorama, upgrade the log collectors, upgrade the firewalls
An administrator has a Palo Alto Networks NGFW. All security subscriptions and decryption are enabled and the system is running close to its resource limits. Knowing that using decryption can be resource-intensive, how can the administrator reduce the load on the firewall?
A. Use SSL Forward Proxy instead of SSL Inbound Inspection for decryption.
B. Use RSA instead of ECDSA for traffic that isn't sensitive or high-priority.
C. Use the highest TLS protocol version to maximize security.
D. Use ECDSA instead of RSA for traffic that isn't sensitive or high-priority.
A firewall engineer has determined that, in an application developed by the company's internal team, sessions often remain idle for hours before the client and server exchange any data. The application is also currently identified as unknowntcp by the firewalls. It is determined that because of a high level of trust, the application does not require to be scanned for threats, but it needs to be properly identified in Traffic logs for reporting purposes.
Which solution will take the least time to implement and will ensure the App-ID engine is used to identify the application?
A. Create a custom application with specific timeouts and signatures based on patterns discovered in packet captures.
B. Access the Palo Alto Networks website and complete the online form to request that a new application be added to App-ID.
C. Create a custom application with specific timeouts, then create an application override rule and reference the custom application.
D. Access the Palo Alto Networks website and raise a support request through the Customer Support Portal.
What happens when the log forwarding built-in action with tagging is used?
A. Selected logs are forwarded to the Azure Security Center.
B. Destination zones of selected unwanted traffic are blocked.
C. Destination IP addresses of selected unwanted traffic are blocked.
D. Selected unwanted traffic source zones are blocked.
A firewall engineer creates a source NAT rule to allow the company's internal private network 10.0.0.0/23 to access the internet. However, for security reasons, one server in that subnet (10.0.0.10/32) should not be allowed to access the internet, and therefore should not be translated with the NAT rule.
Which set of steps should the engineer take to accomplish this objective?
A. 1. Create a NAT rule (NAT-Rule-1) and set the source address in the original packet to 10.0.0.10/32.
2. Check the box for negate option to negate this IP from the NAT translation.
B. 1. Create a NAT rule (NAT-Rule-1) and set the source address in the original packet to 10.0.0.0/23.
2. Check the box for negate option to negate this IP subnet from NAT translation.
C. 1. Create a source NAT rule (NAT-Rule-1) to translate 10.0.0/23 with source address translation set to dynamic IP and port.
2.
Create another NAT rule (NAT-Rule-2) with source IP address in the original packet set to 10.0.0.10/32 and source translation set to none.
3.
Place (NAT-Rule-2) above (NAT-Rule-1).
D. 1. Create a source NAT rule (NAT-Rule-1) to translate 10.0.0/23 with source address translation set to dynamic IP and port.
2.
Create another NAT rule (NAT-Rule-2) with source IP address in the original packet set to 10.0.0.10/32 and source translation set to none.
3.
Place (NAT-Rule-1) above (NAT-Rule-2).
An internal audit team has requested additional information to be included inside traffic logs forwarded from Palo Alto Networks firewalls to an internal syslog server. Where can the firewall engineer define the data to be added into each forwarded log?
A. Custom Log Format within Device > Server Profiles > Syslog
B. Built-in Actions within Objects > Log Forwarding Profile
C. Logging and Reporting Settings within Device > Setup > Management
D. Data Patterns within Objects > Custom Objects
When you troubleshoot an SSL Decryption issue, which PAN-OS CLI command do you use to check the details of the Forward Trust certificate, Forward Untrust certificate, and SSL Inbound Inspection certificate?
A. show system setting ssl-decrypt certs
B. show system setting ssl-decrypt certificate
C. debug dataplane show ssl-decrypt ssl-stats
D. show system setting ssl-decrypt certificate-cache
Which two are required by IPSec in transport mode? (Choose two.)
A. Auto generated key
B. NAT Traversal
C. IKEv1
D. DH-group 20 (ECP-384 bits)
A firewall engineer needs to patch the company's Palo Alto Networks firewalls to the latest version of PAN-OS. The company manages its firewalls by using Panorama. Logs are forwarded to Dedicated Log Collectors, and file samples are forwarded to WildFire appliances for analysis.
What must the engineer consider when planning deployment?
A. Only Panorama and Dedicated Log Collectors must be patched to the target PAN-OS version before updating the firewalls.
B. Panorama, Dedicated Log Collectors, and WildFire appliances must have the target PAN-OS version downloaded, after which the order of patching does not matter.
C. Panorama, Dedicated Log Collectors, and WildFire appliances must be patched to the target PAN-OS version before updating the firewalls.
D. Only Panorama must be patched to the target PAN-OS version before updating the firewalls.
Which conditions must be met when provisioning a high availability (HA) cluster? (Choose two.)
A. HA cluster members must be the same firewall model and run the same PAN-OS version.
B. HA cluster members must share the same zone names.
C. Panorama must be used to manage HA cluster members.
D. Dedicated HA communication interfaces for the cluster must be used over HSCI interfaces.
Nowadays, the certification exams become more and more important and required by more and more enterprises when applying for a job. But how to prepare for the exam effectively? How to prepare for the exam in a short time with less efforts? How to get a ideal result and how to find the most reliable resources? Here on Vcedump.com, you will find all the answers. Vcedump.com provide not only Palo Alto Networks exam questions, answers and explanations but also complete assistance on your exam preparation and certification application. If you are confused on your PCNSE exam preparations and Palo Alto Networks certification application, do not hesitate to visit our Vcedump.com to find your solutions here.