Professional Documents
Culture Documents
Pcnse6 PDF
Pcnse6 PDF
Which authentication method can provide role-based administrative access to firewalls running
PAN-OS?
A. LDAP
B. Certificate-based authentication
C. Kerberos
D. RADIUS with Vendor Specific Attributes
Answer: D
Explanation:
Assuming that the default antivirus profile is installed, match each decoder with its default action.
Answer:
Explanation:
FTP, SMB Block
HTTP Block
POP3, SMTP Alert
IMAP Alert
QUESTION NO: 3
Which three engines are built into the Single-Pass Parallel Processing Architecture? Choose 3
answers
Answer: A,C,E
Reference: https://www.paloaltonetworks.com/content/dam/paloaltonetworks-
com/en_US/assets/pdf/white-papers/single-pass-parallel-processing-architecture.pdf page 5
Within a Zone Protection Profile, under the Reconnaissance Protection tab, there are several
possible values for Action:
Answer:
QUESTION NO: 5
What is a prerequisite for configuring a pair of Palo Alto Networks firewalls in an Active/Passive
High Availability (HA) pair?
Answer: C
Reference: https://www.paloaltonetworks.com/content/dam/paloaltonetworks-
com/en_US/assets/pdf/framemaker/60/pan-os/pan-os/section_4.pdf page 134
QUESTION NO: 6
Which source address translation type will allow multiple devices to share a single translated
source address while using a single NAT Policy rule?
Answer: A
Reference: https://www.paloaltonetworks.com/documentation/61/pan-os/pan-
Match each type of report provided by the firewall with its description.
Answer:
Explanation:
PDF Summary Reports Reports that combine up to 18 custom or predefined reports from the
Threat, Application, Traffic, URL Filtering Categories into one document.
Report Groups Reports the combine other custom and predefined reports into a single file to be
emailed to one or more recipients.
Custom Reports Reports created by an administrator that filter on conditions and columns
User or Groups Activity Reports Reports on the application use and URL activity for a specific
user or a group
Reference: https://www.paloaltonetworks.com/content/dam/paloaltonetworks-
com/en_US/assets/pdf/framemaker/61/panorama/Panorama_AdminGuide/section_6.pdf page 151
QUESTION NO: 8
Answer: C
Reference: https://live.paloaltonetworks.com/docs/DOC-2021 Page 16 of PDF available there.
QUESTION NO: 9
Which Public Key Infrastructure component is used to authenticate users for GlobalProtect when
the Connect Method is set to "pre-logon"?
Answer: C
Reference: https://www.paloaltonetworks.com/content/dam/paloaltonetworks-
com/en_US/assets/pdf/framemaker/60/globalprotect/Global_Protect_6.0.pdf page 12.
QUESTION NO: 10
A company is in the process of upgrading their existing Palo Alto Networks firewalls from version
6.1.0 to 6.1.1.
Which three methods can the firewall administrator use to install PAN-OS 6.1.1 across the
enterprise? Choose 3 answers
A. Push the PAN-OS 6.1.1 updates from the support site to install on each firewall.
B. Download PAN-OS 6.1.1 files from the support site and install them on each firewall after
manually uploading.
C. Download PAN-OS 6.1.1 to a USB drive and the firewall will automatically update after the USB
drive is inserted in the firewall.
Answer: B,E,F
Reference: https://live.paloaltonetworks.com/docs/DOC-1062
QUESTION NO: 11
Which configuration change on the firewall would cause it to use 10.66.24.88 as the nexthop for
the 192.168.93.0/30 network?
A. Configuring the Administrative Distance for RIP to be higher than that of OSPF Ext
B. Configuring the metric for RIP to be higher than that of OSPF Int
C. Configuring the metric for RIP to be lower than that of OSPF Ext
D. Configuring the Administrative Distance for RIP to be lower than that of OSPF Int
Answer: D
Reference: https://live.paloaltonetworks.com/servlet/JiveServlet/previewBody/5284-102-3-
17278/Route%20Redistribution%20and%20Filtering%20TechNote%20-%20Rev%20B.pdf
QUESTION NO: 12
Which NAT Policy rule will allow users outside the company to access the web server?
A. Option A
B. Option B
C. Option C
D. Option D
Answer: B
Explanation:
QUESTION NO: 13
A company has purchased a WildFire subscription and would like to implement dynamic updates
to download the most recent content as often as possible.
What is the shortest time interval the company can configure their firewall to check for WildFire
updates?
A. Every 24 hours
B. Every 30 minutes
C. Every 15 minutes
D. Every 1 hour
Answer: C
Reference: https://www.paloaltonetworks.com/content/dam/paloaltonetworks-
com/en_US/assets/pdf/framemaker/60/wildfire/WF_Admin/section_1.pdf page 11
QUESTION NO: 14
Which method is the most efficient for determining which administrator made a specific change to
the running config?
A. In the Configuration log, set a filter for the edit command and look for the object that was
changed.
B. In the System log, set a filter for the name of the object that was changed.
C. In Config Audit, compare the current running config to all of the saved configurations until the
change is found.
D. In Config Audit, compare the current running config to previous committed versions until the
change is found.
Answer: B
Explanation:
QUESTION NO: 15
You are configuring a File Blocking Profile to be applied to all outbound traffic uploading a specific
file type, and there is a specific application that you want to match in the policy.
What are three valid actions that can be set when the specified file is detected? Choose 3 answers
A. Reset-both
B. Block
C. Continue
D. Continue-and-forward
E. Upload
Answer: B,C,D
Reference: https://www.paloaltonetworks.com/content/dam/paloaltonetworks-
com/en_US/assets/pdf/framemaker/60/pan-os/pan-os/section_8.pdf page 287
QUESTION NO: 16
Two firewalls are configured in an Active/Passive High Availability (HA) pair with the following
election settings:
Firewall 5050-B is presently in the "Active" state and 5050-A is presently in the "Passive" state.
Firewall 5050-B reboots causing 5050-A to become Active.
Which firewall will be in the "Active" state after firewall 5050-B has completed its reboot and is
back online?
Answer: B
Reference: https://live.paloaltonetworks.com/docs/DOC-2926
QUESTION NO: 17
Which two statements are true about DoS Protection Profiles and Policies? Choose 2 answers
A. They mitigate against SYN, UDP, ICMP, ICMPv6, and other IP Flood attacks on a zone basis,
regardless of interface(s). They provide reconnaissance protection against TCP/UDP port scans
and host sweeps.
B. They mitigate against SYN, UDP, ICMP, ICMPv6, and other IP Flood attacks. They provide
resource protection by limiting the number of sessions that can be used.
C. They mitigate against volumetric attacks that leverage known vulnerabilities, brute force
methods, amplification, spoofing, and other vulnerabilities.
D. They mitigate against SYN, UDP, ICMP, ICMPv6, and other IP Flood attacks by utilizing
"random early drop".
QUESTION NO: 18
Where can the maximum concurrent SSL VPN Tunnels be set for Vsys2 when provisioning a Palo
Alto Networks firewall for multiple virtual systems?
Answer: C
Reference: https://www.paloaltonetworks.com/content/dam/paloaltonetworks-
com/en_US/assets/pdf/tech-briefs/virtual-systems.pdf page 6
QUESTION NO: 19
A security engineer has been asked by management to optimize how Palo Alto Networks firewall
syslog messages are forwarded to a syslog receiver. There are currently 20 PA-5060 s, each of
which is configured to forward syslogs individually.
The security engineer would like to leverage their two M-100 appliances to send syslog messages
from a single source and has already deployed one in Panorama mode and the other as a Log
Collector.
Answer: A
Reference: https://live.paloaltonetworks.com/docs/DOC-7987
QUESTION NO: 20
What can cause missing SSL packets when performing a packet capture on data plane
interfaces?
A. There is a hardware problem with the offloading FPGA on the management plane.
B. The missing packets are offloaded to the management plane CPU.
C. The packets are hardware offloaded to the offload processor on the data plane.
D. The packets are not captured because they are encrypted.
Answer: C
Reference: https://live.paloaltonetworks.com/docs/DOC-8621
QUESTION NO: 21
A company has a policy that denies all applications they classify as bad and permits only
applications they classify as good. The firewall administrator created the following security policy
on the company s firewall:
Which two benefits are gained from having both rule 2 and rule 3 present? Choose 2 answers
Answer: A,D
Explanation:
QUESTION NO: 22
1. The firewall is configured to resolve DNS names using the internal DNS server.
2. The URL portal.company.com resolves to the external interface of the firewall on the companys
external DNS server and to the internal interface of the firewall on the company s internal DNS
server.
3. The URL gatewayl.company.com resolves to the external interface of the firewall on the
companys external DNS server and to the internal interface of the firewall on the company s
internal DNS server.
This Gateway configuration will have which two outcomes? Choose 2 answers
A. Clients outside the network will be able to connect to the external gateway Gateway1.
B. Clients inside the network will be able to connect to the internal gateway Gateway1.
C. Clients outside the network will NOT be able to connect to the external gateway Gateway1.
D. Clients inside the network will NOT be able to connect to the internal gateway Gateway1.
Answer: A,B
Explanation:
QUESTION NO: 23
A. 2TB
B. 4TB
C. 6TB
D. STB
Answer: B
Reference:
https://www.paloaltonetworks.com/documentation/61/panorama/panorama_adminguide/set-up-
panorama/set-up-the-m-100-appliance.html
QUESTION NO: 24
A user is reporting that they cannot download a PDF file from the internet.
Which action will show whether the downloaded file has been blocked by a Security Profile?
A. Filter the Session Browser for all sessions from the user with the application "adobe".
B. Filter the System log for "Download Failed" messages.
C. Filter the Traffic logs for all traffic from the user that resulted in a Deny action.
D. Filter the Data Filtering logs for the users traffic and the name of the PDF file.
Answer: D
Explanation:
QUESTION NO: 25
What has happened when the traffic log shows an internal host attempting to open a session to a
properly configured sinkhole address?
A. The internal host is trying to resolve a DNS query by connecting to a rogue DNS server.
B. The internal host attempted to use DNS to resolve a known malicious domain into an IP
address.
C. A rogue DNS server is now using the sinkhole address to direct traffic to a known malicious
domain.
D. A malicious domain is trying to contact an internal DNS server.
Answer: B
QUESTION NO: 26
Which Security Policy rule configuration option disables antivirus and anti-spyware scanning of
server-to-client flows only?
Answer: B
Reference: https://www.paloaltonetworks.com/documentation/61/pan-os/pan-os/getting-
started/set-up-basic-security-policies.html
QUESTION NO: 27
Which two interface types provide support for network address translation (NAT)? Choose 2
answers
A. HA
B. Tap
C. Layer3
D. Virtual Wire
E. Layer2
Answer: C,D
Reference: https://live.paloaltonetworks.com/servlet/JiveServlet/previewBody/1517-102-7-
11647/Understanding_NAT-4.1-RevC.pdf
QUESTION NO: 28
A firewall is being attacked with a port scan. Which component can prevent this attack?
Answer: D
Reference: https://live.paloaltonetworks.com/docs/DOC-4501
QUESTION NO: 29
The security administrator is investigating why ICMP traffic between the hosts is not working.
She first ensures that ail traffic is allowed between zones based on the following security policy
rule:
Which interface configuration change should be applied to ethernet1/6 to allow the two hosts to
communicate based on this information?
Answer: D
Explanation:
Answer:
Explanation:
Panorama Dynamically updates firewall policy with VM context for NSX
QUESTION NO: 31
After migrating from an ASA firewall, the VPN connection between a remote network and the Palo
Alto Networks firewall is not establishing correctly. The following entry is appearing in the logs:
Which setting should be changed on the Palo Alto Firewall to resolve this error message?
A. Update the IPSEC Crypto profile for the Vendor IPSec Tunnel from group2 to no-pfs.
B. Update the IKE Crypto profile for the Vendor IKE gateway from no-pfs to group2.
C. Update the IPSEC Crypto profile for the Vendor IPSec Tunnel from no-pfs to group2.
D. Update the IKE Crypto profile for the Vendor IKE gateway from group2 to no-pfs.
Answer: C
Reference: https://www.paloaltonetworks.com/documentation/61/pan-os/pan-os/vpns/interpret-
vpn-error-messages.html
QUESTION NO: 32
Which two interface types can be used when configuring GlobalProtect Portal? Choose 2 answers
A. Virtual Wire
B. Loopback
C. Tunnel
D. Layer3
Answer: B,D
Reference: https://www.paloaltonetworks.com/content/dam/paloaltonetworks-
com/en_US/assets/pdf/framemaker/61/globalprotect/globalprotect-admin-guide.pdf page 10
QUESTION NO: 33
Answer: C
Explanation:
QUESTION NO: 34
Palo Alto Networks maintains a dynamic database of malicious domains. Which two Security
Platform components use this database to prevent threats? Choose 2 answers
A. Brute-force signatures
B. DNS-based command-and-control signatures
C. PAN-DB URL Filtering
D. BrightCloud URL Filtering
Answer: B,C
Reference: https://www.paloaltonetworks.com/products/features/apt-prevention.html
QUESTION NO: 35
Which three inspections can be performed with a next-generation firewall but NOT with a legacy
firewall? Choose 3 answers
Answer: B,C,D
QUESTION NO: 36
Which mechanism is used to trigger a High Availability (HA) failover if a firewall interface goes
down?
A. Link Monitoring
B. Heartbeat Polling
C. Preemption
D. SNMP Polling
Answer: A
Reference: https://www.paloaltonetworks.com/content/dam/paloaltonetworks-
com/en_US/assets/pdf/framemaker/60/pan-os/pan-os/section_4.pdf page 130
Explanation:
A TCP three-way handshake completed successfully but the firewall does not have an appropriate
App-ID signature unknown-tcp
A TCP handshake completed successfully, but only one more packet was sent not enough to
identify the application insufficient-data
Data received has been discarded because it matched an explicit deny rule for that traffic not-
applicable
A TCP three-way handshake die NOT complete OR no additional data was sent after a successful
TCP three-way handshake incomplete
UDP data has been received but the firewall does not have an appropriate App-ID signature
unknown-udp.
Reference: https://live.paloaltonetworks.com/docs/DOC-1549
QUESTION NO: 38
Answer: D
Explanation:
QUESTION NO: 39
By default, all PA-5060 syslog data is forwarded out the Management interface. What needs to be
configured in order to send syslog data out of a different interface?
A. Configure Service Route Only for Threats and URL Filtering, and the traffic will use the same
route.
B. Configure an Interface Management Profile and apply it to the interface that the syslogs will be
sent through.
C. Configure a Service Route for the Syslog service to use a dataplane interface.
D. Create a Log-Forwarding Profile that points to the device that will receive the syslogs.
Answer: C
Reference: https://www.paloaltonetworks.com/documentation/60/pan-os/pan-os/reports-and-
logging/define-remote-logging-destinations.html
QUESTION NO: 40
A network administrator uses Panorama to push security policies to managed firewalls at branch
offices.
Which policy type should be configured on Panorama if the administrator wishes to allow local
administrators at the branch office sites to override these policies?
A. Implicit Rules
B. Post Rules
C. Default Rules
D. Pre Rules
Answer: D
Explanation:
QUESTION NO: 41
A network engineer experienced network reachability problems through the firewall. The routing
table on the device is complex. To troubleshoot the problem the engineer ran a Command Line
A. There is no route for the IP address 98.139.183.24, and there is a default route for outbound
traffic.
B. There is no interface in the firewall with the IP address 98.139.183.24.
C. In virtual-router vrl, there is a route in the routing table for the network 98.139.0.0/16.
D. There is no route for the IP address 98.139.183.24, and there is no default route.
Answer: D
Explanation:
QUESTION NO: 42
A website is presenting an RSA 2048-bit key. By default, what will the size of the key in the
certificate sent by the firewall to the client be when doing SSL Decryption?
A. 512 bits
B. 1024 bits
C. 2048 bits
D. 4096 bits
Answer: C
Reference: https://www.paloaltonetworks.com/documentation/61/pan-
os/newfeaturesguide/management-features/configurable-key-size-for-ssl-forward-proxy-server-
certificates.html
QUESTION NO: 43
A hotel chain is using a system to centrally control a variety of items in guest rooms. The client
Which action will address this issue without affecting all TCP traffic traversing the firewall?
A. Create a security policy without security profiles, allowing the client-to-server traffic.
B. Create an application override policy, assigning the client-to-server traffic to a custom
application.
C. Create an application with a specified TCP timeout and assign traffic to it with an application
override policy.
D. Create an application override policy, assigning the server-to-client traffic to a custom
application.
Answer: C
Explanation:
QUESTION NO: 44
A. The ping will be successful because the management profile applied to Ethernet1/1 allows ping.
B. The ping will not be successful because the virtual router is different from the other
subinterfaces.
C. The ping will not be successful because there is no management profile attached to
Ethernet1/1.799.
D. The ping will not be successful because the security policy does not apply to VLAN 800.
E. The ping will be successful because the security policy permits this traffic.
Answer: D
Explanation:
QUESTION NO: 45
What are the three Security Policy rule Type classifications supported in PAN-OS 6.1?
Answer: C
Reference: https://www.paloaltonetworks.com/content/dam/paloaltonetworks-
com/en_US/assets/pdf/framemaker/61/pan-os/NewFeaturesGuide.pdf page 18-19
QUESTION NO: 46
Which two steps are required to make Microsoft Active Directory users appear in the firewalls
traffic log? Choose 2 answers
Answer: A,E
Explanation:
QUESTION NO: 47
It is discovered that WebandNetTrends Unlimiteds new web server software produces traffic that
the Palo Alto Networks firewall sees as "unknown-tcp" traffic.
Which two configurations would identify the application while preserving the ability of the firewall to
perform content and threat detection on the traffic? Choose 2 answers
A. A custom application, with a name properly describing the new web server s purpose
B. A custom application and an application override policy that assigns traffic going to and from
the web server to the custom application
C. An application override policy that assigns the new web server traffic to the built-in application
"web-browsing"
D. A custom application with content and threat detection enabled, which includes a signature,
identifying the new web server s traffic
QUESTION NO: 48
The IT department has received complaints about VoIP call jitter when the sales staff is making or
receiving calls. QoS is enabled on all firewall interfaces, but there is no QoS policy written in the
rulebase. The IT manager wants to find out what traffic is causing the jitter in real time when a
user reports the jitter.
Which feature can be used to identify, in real-time, the applications taking up the most bandwidth?
Answer: A
Reference: http://www.newnet66.org/Support/Resources/Using-The-ACC.pdf
QUESTION NO: 49
A company has a web server behind their Palo Alto Networks firewall that they would like to make
accessible to the public. They have decided to configure a destination NAT Policy rule.
- DMZzone: DMZ-L3
- Public zone: Untrust-L3
- Web server zone: Trust-L3
- Public IP address (Untrust-L3): 1.1.1.1
- Private IP address (Trust-L3): 192.168.1.50
What should be configured as the destination zone on the Original Packet tab of the NAT Policy
rule?
A. DMZ-L3
B. Any
C. Untrust-L3
D. Trust-L3
QUESTION NO: 50
Which URL Filtering Security Profile action logs the URL Filtering category to the URL Filtering
log?
A. Allow
B. Alert
C. Log
D. Default
Answer: B
Reference: https://www.paloaltonetworks.com/documentation/61/pan-os/pan-os/url-
filtering/configure-url-filtering.html
QUESTION NO: 51
Where in the firewall GUI can an administrator see how many sessions of web-browsing traffic
have occurred in the last day?
A. Monitor->Session Browser
B. Monitor->App Scope->Summary
C. Objects->Applications->web-browsing
D. ACC->Application
Answer: D
Reference: http://www.newnet66.org/Support/Resources/Using-The-ACC.pdf
QUESTION NO: 52
The WildFire Cloud or WF-500 appliance provide information to which two Palo Alto Networks
security services? Choose 2 answers
A. Threat Prevention
Answer: A,E
Reference: https://www.paloaltonetworks.com/products/technologies/wildfire.html
QUESTION NO: 53
A Palo Alto Networks firewall is being targeted by an NTP Amplification attack and is being flooded
with tens of thousands of bogus UDP connections per second to a single destination IP address
and port.
Which option, when enabled with the correct threshold, would mitigate this attack without dropping
legitimate traffic to other hosts inside the network?
Answer: B
Reference: https://live.paloaltonetworks.com/docs/DOC-1746
QUESTION NO: 54
Which three processor types are found on the data plane of a PA-5050? Choose 3 answers
Answer: A,B,C
Reference: https://www.paloaltonetworks.com/content/dam/paloaltonetworks-
com/en_US/assets/pdf/white-papers/single-pass-parallel-processing-architecture.pdf page 8
QUESTION NO: 55
A firewall administrator is troubleshooting problems with traffic passing through the Palo Alto
Networks firewall.
Which method will show the global counters associated with the traffic after configuring the
appropriate packet filters?
A. From the CLI, issue the show counter interface command for the egress interface.
B. From the GUI, select "Show global counters" under the Monitor tab.
C. From the CLI, issue the show counter global filter packet-filter yes command.
D. From the CLI, issue the show counter interface command for the ingress interface.
Answer: C
Reference: https://live.paloaltonetworks.com/docs/DOC-7971
QUESTION NO: 56
In the following display, ethernetl/6 is configured with an interface management profile that allows
ping with no restriction on the source address:
What is the result of a ping sent from an address on the Trust-L3 zone to the IP address of
ethernet1/6?
Answer: D
Explanation:
QUESTION NO: 57
A security architect has been asked to implement User-ID in a MacOS environment with no
enterprise email, using a Sun LDAP server for user authentication.
In this environment, which two User-ID methods are effective for mapping users to IP addresses?
Choose 2 answers
Answer: C,D
Explanation:
QUESTION NO: 58
A. Static Route
B. RIPv2
C. DHCP Server
D. BGP
Answer: A
Reference: https://live.paloaltonetworks.com/docs/DOC-5493
QUESTION NO: 59
A. Configuration Sync
B. Link Aggregation
C. Session Sync
D. Jumbo Frames
Answer: A
Reference: https://live.paloaltonetworks.com/docs/DOC-3091
A company has a Palo Alto Networks firewall with a single VSYS that has both locally defined
rules as well as shared and device-group rules pushed from Panorama.
Answer:
Explanation:
1st: Shared Pre Rules
2nd: Device Group Pre Rules
Reference: https://live.paloaltonetworks.com/docs/DOC-8842