Paloalto Networks PCNSE6

s@lm@n
Paloalto Networks
Exam PCNSE6
Palo Alto Networks Certified Network Security Engineer 6.0
Version: 6.1
[ Total Questions: 153 ]
Paloalto Networks PCNSE6 : Practice Test

Question No : 1
Configuring a pair of devices into an Active/Active HA pair provides support for:
A. Higher session count
B. Redundant Virtual Routers
C. Asymmetric routing environments
D. Lower fail-over times
Answer: B
Question No : 2
As a Palo Alto Networks firewall administrator, you have made unwanted changes to the
Candidate configuration. These changes may be undone by Device > Setup > Operations
>
Configuration Management>....and then what operation?
A. Revert to Running Configuration
B. Revert to last Saved Configuration
C. Load Configuration Version
D. Import Named Configuration Snapshot
Answer: A
Question No : 3 HOTSPOT
A company has a Palo Alto Networks firewall with a single VSYS that has both locally
defined rules as well as shared and device-group rules pushed from Panorama.
In what order are the policies evaluated?
A Composite Solution With Just One Click - Certification Guaranteed

Answer:

Question No : 4
A company hosts a publicly-accessible web server behind their Palo Alto Networks firewall,
with this configuration information:
Users outside the company are in the "Untrust-L3" zone.

The web server physically resides in the "Trust-L3" zone.
Web server public IP address: 1.1.1.1
Web server private IP address: 192.168.1.10
Which NAT Policy rule will allow users outside the company to access the web server?
A. Option A
B. Option B
C. Option C
D. Option D
Answer: B
Question No : 5
Wildfire may be used for identifying which of the following types of traffic?
A. URL content
B. DHCP
C. DNS
D. Viruses
Answer: D
Question No : 6
In PAN-OS 5.0, how is Wildfire enabled?
A. Via the "Forward" and "Continue and Forward" File-Blocking actions
B. A custom file blocking action must be enabled for all PDF and PE type files
C. Wildfire is automatically enabled with a valid URL-Filtering license
D. Via the URL-Filtering "Continue" Action.
Answer: A
Question No : 7
The IT department has received complaints about VoIP call jitter when the sales staff is
making or receiving calls. QoS is enabled on all firewall interfaces, but there is no QoS
policy written in the rulebase. The IT manager wants to find out what traffic is causing the
jitter in real time when a user reports the jitter.
Which feature can be used to identify, in real-time, the applications taking up the most
bandwidth?
A. Application Command Center (ACC)
B. QoS Statistics
C. QoS Log
D. Applications Report
Answer: A
Reference: http://www.newnet66.org/Support/Resources/Using-The-ACC.pdf
Question No : 8
Which two steps are required to make Microsoft Active Directory users appear in the
firewalls traffic log? Choose 2 answers

A. Enable User-ID on the zone object for the source zone.
B. Enable User-ID on the zone object for the destination zone.
C. Configure a RADIUS server profile to point to a domain controller.
D. Run the User-ID Agent using an Active Directory account that has "domain
administrator" permissions.
E. Run the User-ID Agent using an Active Directory account that has "event log viewer"
permissions.
Answer: A,E
Question No : 9
Administrative Alarms can be enabled for which of the following except?
A. Certificate Expirations
B. Security Violation Thresholds
C. Security Policy Tags
D. Traffic Log capacity
Answer: A
Question No : 10
Where in the firewall GUI can an administrator see how many sessions of web-browsing
traffic have occurred in the last day?
A. Monitor->Session Browser
B. Monitor->App Scope->Summary
C. Objects->Applications->web-browsing
D. ACC->Application
Answer: D
Reference: http://www.newnet66.org/Support/Resources/Using-The-ACC.pdf
Question No : 11

Which of the following are accurate statements describing the HA3 link in an Active-Active
HA deployment?
A. HA3 is used for session synchronization
B. The HA3 link is used to transfer Layer 7 information
C. HA3 is used to handle asymmetric routing
D. HA3 is the control link
Answer: A
Question No : 12
Which of the following would be a reason to use an XML API to communicate with a Palo
Alto Networks firewall?
A. So that information can be pulled from other network resources for User-ID
B. To allow the firewall to push UserID information to a Network Access Control (NAC)
device.
C. To permit sys logging of User Identification events
Answer: B
Question No : 13
When Network Address Translation has been performed on traffic, Destination Zones in
Security rules should be based on:
A. Post-NAT addresses
B. The same zones used in the NAT rules
C. Pre-NAT addresses
D. None of the above
Answer: A
Question No : 14
Two firewalls are configured in an Active/Passive High Availability (HA) pair with the

following election settings:
Firewall 5050-B is presently in the "Active" state and 5050-A is presently in the "Passive"
state. Firewall 5050-B reboots causing 5050-A to become Active.
Which firewall will be in the "Active" state after firewall 5050-B has completed its reboot and
is back online?
A. Both firewalls are active (split brain)
B. Firewall 5050-B
C. Firewall 5050-A
D. It could be either firewall
Answer: B
Reference: https://live.paloaltonetworks.com/docs/DOC-2926
Question No : 15
Which three engines are built into the Single-Pass Parallel Processing Architecture?
Choose 3 answers
A. Application Identification (App-ID)
B. Group Identification (Group-ID)
C. User Identification (User-ID)
D. Threat Identification (Threat-ID)
E. Content Identification (Content-ID)
Answer: A,C,E
Reference: https://www.paloaltonetworks.com/content/dam/paloaltonetworkscom/en_US/assets/pdf/white-papers/single-pass-parallel-processing-architecture.pdf page
5
Question No : 16
In an Anti-Virus profile, changing the action to Block for IMAP or POP decoders will result
in the following:
A. The connection from the server will be reset
B. The Anti-virus profile will behave as if Alert had been specified for the action
C. The traffic will be dropped by the firewall
D. Error 541 being sent back to the server
Answer: B
Question No : 17
Subsequent to the installation of new licenses, the firewall must be rebooted
A. True
B. False
Answer: B
Question No : 18
When setting up GlobalProtect, what is the job of the GlobalProtect Portal? Select the best
answer
A. To maintain the list of remote GlobalProtect Portals and list of categories for checking
the client machine
B. To maintain the list of GlobalProtect Gateways and list of categories for checking the
client machine
C. To load balance GlobalProtect client connections to GlobalProtect Gateways
Answer: B
10
Question No : 19
Can multiple administrator accounts be configured on a single firewall?
A. Yes
B. No
Answer: A
Question No : 20
Taking into account only the information in the screenshot above, answer the following
question. In order for ping traffic to traverse this device from e1/2 to e1/1, what else needs
to be configured? Select all that apply.
A. Security policy from trust zone to Internet zone that allows ping
B. Create the appropriate routes in the default virtual router
C. Security policy from Internet zone to trust zone that allows ping
D. Create a Management profile that allows ping. Assign that management profile to e1/1
and e1/2
Answer: A,D
Question No : 21
A firewall administrator is troubleshooting problems with traffic passing through the Palo
Alto Networks firewall.
11

Which method will show the global counters associated with the traffic after configuring the
appropriate packet filters?
A. From the CLI, issue the show counter interface command for the egress interface.
B. From the GUI, select "Show global counters" under the Monitor tab.
C. From the CLI, issue the show counter global filter packet-filter yes command.
D. From the CLI, issue the show counter interface command for the ingress interface.
Answer: C
Question No : 22
Which feature can be configured with an IPv6 address?
A. Static Route
B. RIPv2
C. DHCP Server
D. BGP
Answer: A
Question No : 23
When creating an application filter, which of the following is true?
A. They are used by malware
B. Excessive bandwidth may be used as a filter match criteria
C. They are called dynamic because they automatically adapt to new IP addresses
D. They are called dynamic because they will automatically include new applications from
an application signature update if the new application's type is included in the filter
Answer: D
12

Question No : 24
Which statement accurately reflects the functionality of using regions as objects in Security
policies?
A. Predefined regions are provided for countries, not but not for cities. The administrator
can set up custom regions, including latitude and longitude, to specify the geographic
position of that particular region.
B. The administrator can set up custom regions, including latitude and longitude, to specify
the geographic position of that particular region. These custom regions can be used in the
"Source User" field of the Security Policies.
C. Regions cannot be used in the "Source User" field of the Security Policies, unless the
administrator has set up custom regions.
D. The administrator can set up custom regions, including latitude and longitude, to specify
the geographic position of that particular region. Both predefined regions and custom
regions can be used in the "Source User" field.
Answer: A
Question No : 25
In Active/Active HA environments, redundancy for the HA3 interface can be achieved by
A. Configuring a corresponding HA4 interface
B. Configuring HA3 as an Aggregate Ethernet bundle
C. Configuring multiple HA3 interfaces
D. Configuring HA3 in a redundant group
Answer: B
Question No : 26
A Palo Alto Networks firewall has the following interface configuration;
13

Hosts are directly connected on the following interfaces:
Ethernet 1/6 - Host IP 192.168.62.2
Ethernet 1/3 - Host IP 10.46.40.63
The security administrator is investigating why ICMP traffic between the hosts is not
working.
She first ensures that ail traffic is allowed between zones based on the following security
policy rule:
The routing table of the firewall shows the following output:
Which interface configuration change should be applied to ethernet1/6 to allow the two
hosts to communicate based on this information?
A. Change the Management Profile.
B. Change the security policy to explicitly allow ICMP on this interface.
C. Change the configured zone to DMZ.
D. Change the Virtual Router setting to VR1.
Answer: D
14

Question No : 27
What can cause missing SSL packets when performing a packet capture on data plane
interfaces?
A. There is a hardware problem with the offloading FPGA on the management plane.
B. The missing packets are offloaded to the management plane CPU.
C. The packets are hardware offloaded to the offload processor on the data plane.
D. The packets are not captured because they are encrypted.
Answer: C
Question No : 28
Which three processor types are found on the data plane of a PA-5050? Choose 3 answers
A. Multi-Core Security Processor
B. Signature Match Processor
C. Network Processor
D. Protocol Decoder Processor
E. Management Processor
Answer: A,B,C
Reference: https://www.paloaltonetworks.com/content/dam/paloaltonetworkscom/en_US/assets/pdf/white-papers/single-pass-parallel-processing-architecture.pdf page
8
Question No : 29
What happens at the point of Threat Prevention license expiration?
A. Threat Prevention no longer updated; existing database still effective
B. Threat Prevention is no longer used; applicable traffic is allowed
C. Threat Prevention no longer used; applicable traffic is blocked
15

D. Threat Prevention no longer used; traffic is allowed or blocked by configuration per
Security Rule
Answer: A
Question No : 30
Wildfire may be used for identifying which of the following types of traffic?
A. Malware
B. DNS
C. DHCP
D. URL Content
Answer: A
Question No : 31
A company has purchased a WildFire subscription and would like to implement dynamic
updates to download the most recent content as often as possible.
What is the shortest time interval the company can configure their firewall to check for
WildFire updates?
A. Every 24 hours
B. Every 30 minutes
C. Every 15 minutes
D. Every 1 hour
E. Every 5 minutes
Answer: C
Reference: https://www.paloaltonetworks.com/content/dam/paloaltonetworkscom/en_US/assets/pdf/framemaker/60/wildfire/WF_Admin/section_1.pdf page 11
Question No : 32
16

After configuring Captive Portal in Layer 3 mode, users in the Trust Zone are not receiving
the Captive Portal authentication page when they launch their web browsers. How can this
be corrected?
A. Ensure that all users in the Trust Zone are using NTLM-capable browsers
B. Enable "Response Pages" in the Interface Management Profile that is applied to the L3
Interface in the Trust Zone.
C. Confirm that Captive Portal Timeout value is not set below 2 seconds
D. Enable "Redirect " as the Mode type in the Captive Portal Settings
Answer: A,B
Question No : 33
As the Palo Alto Networks administrator responsible for User Identification, you are looking
for the simplest method of mapping network users that do not sign into LDAP. Which
information source would allow reliable User ID mapping for these users, requiring the least
amount of configuration?
A. WMI Query
B. Exchange CAS Security Logs
C. Captive Portal
D. Active Directory Security Logs
Answer: C
Question No : 34
When creating a Security Policy to allow Facebook in PAN-OS 5.0, how can you be sure
that no other web-browsing traffic is permitted?
A. Ensure that the Service column is defined as "application-default" for this security rule.
This will automatically include the implicit web-browsing application dependency.
B. Create a subsequent rule which blocks all other traffic
C. When creating the rule, ensure that web-browsing is added to the same rule. Both
applications will be processed by the Security policy, allowing only Facebook to be
accessed. Any other applications can be permitted in subsequent rules.
D. No other configuration is required on the part of the administrator, since implicit
application dependencies will be added automaticaly.
17

Answer: D
Question No : 35
After migrating from an ASA firewall, the VPN connection between a remote network and
the Palo Alto Networks firewall is not establishing correctly. The following entry is
appearing in the logs:
pfs group mismatched: my:0 peer:2
Which setting should be changed on the Palo Alto Firewall to resolve this error message?
A. Update the IPSEC Crypto profile for the Vendor IPSec Tunnel from group2 to no-pfs.
B. Update the IKE Crypto profile for the Vendor IKE gateway from no-pfs to group2.
C. Update the IPSEC Crypto profile for the Vendor IPSec Tunnel from no-pfs to group2.
D. Update the IKE Crypto profile for the Vendor IKE gateway from group2 to no-pfs.
Answer: C
Reference: https://www.paloaltonetworks.com/documentation/61/pan-os/panos/vpns/interpret-vpn-error-messages.html
Question No : 36
Which best describes how Palo Alto Networks firewall rules are applied to a session?
A. last match applied
B. first match applied
C. all matches applied
D. most specific match applied
Answer: B
Question No : 37
18

It is discovered that WebandNetTrends Unlimiteds new web server software produces
traffic that the Palo Alto Networks firewall sees as "unknown-tcp" traffic.
Which two configurations would identify the application while preserving the ability of the
firewall to perform content and threat detection on the traffic? Choose 2 answers
A. A custom application, with a name properly describing the new web server s purpose
B. A custom application and an application override policy that assigns traffic going to and
from the web server to the custom application
C. An application override policy that assigns the new web server traffic to the built-in
application "web-browsing"
D. A custom application with content and threat detection enabled, which includes a
signature, identifying the new web server s traffic
Answer: A,B
Question No : 38
Which of the following must be configured when deploying User-ID to obtain information
from an 802.1x authenticator?
A. Terminal Server Agent
B. An Agentless deployment of User-ID, employing only the Palo Alto Networks Firewall
C. A User-ID agent, with the "Use for NTLM Authentication" option enabled.
D. XML API for User-ID Agent
Answer: D
Question No : 39
Users can be authenticated serially to multiple authentication servers by configuring:
A. Multiple RADIUS Servers sharing a VSA configuration
B. Authentication Sequence
C. Authentication Profile
D. A custom Administrator Profile
Answer: B
19

Question No : 40
Enabling "Highlight Unsused Rules" in the Security policy window will:
A. Hightlight all rules that did not immmediately match traffic.
B. Hightlight all rules that did not match traffic since the rule was created or since last
reboot of the firewall
C. Allows the administrator to troubleshoot rules when a validation error occurs at the time
of commit.
D. Allow the administrator to temporarily disable rules that do not match traffic, for testing
purposes
Answer: B
Question No : 41
Which of the following must be enabled in order for UserID to function?
A. Captive Portal Policies must be enabled.
B. UserID must be enabled for the source zone of the traffic that is to be identified.
C. Captive Portal must be enabled.
D. Security Policies must have the UserID option enabled.
Answer: B
Question No : 42
What new functionality is provided in PAN-OS 5.0 by Palo Alto Networks URL Filtering
Database (PAN-DB)?
A. The "Log Container Page Only" option can be employed in a URL-Filtering policy to
reduce the number of logging events.
B. URL-Filtering can now be employed as a match condition in Security policy
C. IP-Based Threat Exceptions can now be driven by custom URL categories
D. Daily database downloads for updates are no longer required as devices stay in-sync
with the cloud.
Answer: D
20

Question No : 43
How can a Palo Alto Networks firewall be configured to send syslog messages in a format
compatible with nonstandard syslog servers?
A. Enable support for non-standard syslog messages under device management.
B. Select a non-standard syslog server profile.
C. Create a custom log format under the syslog server profile.
D. Check the custom-format checkbox in the syslog server profile.
Answer: C
Reference: https://live.paloaltonetworks.com/docs/DOC-2021 Page 16 of PDF available
there.
Question No : 44
What are the three Security Policy rule Type classifications supported in PAN-OS 6.1?
A. Security, NAT, Policy-Based Forwarding
B. Intrazone, Interzone, Global
C. Intrazone, Interzone, Universal
D. Application, User, Content
Answer: C
Reference: https://www.paloaltonetworks.com/content/dam/paloaltonetworkscom/en_US/assets/pdf/framemaker/61/pan-os/NewFeaturesGuide.pdf page 18-19
Question No : 45
After pushing a security policy from Panorama to a PA-3020 firewall, the firewall
administrator notices that traffic logs from the PA-3020 are not appearing in Panorama's
traffic logs.
What could be the problem?
21

A. The firewall is not licensed for logging to this Panorama device.
B. Panorama is not licensed to receive logs from this particular firewall.
C. None of the firewalls policies have been assigned a Log Forwarding profile.
D. A Server Profile has not been configured for logging to this Panorama device.
Answer: C
Question No : 46
WildFire Analysis Reports are available for the following Operating Systems (select all that
apply)
A. Windows XP
B. Windows 7
C. Windows 8
D. Mac OS-X
Answer: A,B,C
Question No : 47
A Palo Alto Networks firewall is being targeted by an NTP Amplification attack and is being
flooded with tens of thousands of bogus UDP connections per second to a single
destination IP address and port.
Which option, when enabled with the correct threshold, would mitigate this attack without
dropping legitimate traffic to other hosts inside the network?
A. Zone Protection Policy with UDP Flood Protection
B. Classified DoS Protection Policy using destination IP only with a Protect action
C. QoS Policy to throttle traffic below maximum limit
D. Security Policy rule to deny traffic to the IP address and port that is under attack
Answer: B
22

Question No : 48
Company employees have been given access to the GlobalProtect Portal at
https://portal.company.com:
Assume the following:

1. The firewall is configured to resolve DNS names using the internal DNS server.
2. The URL portal.company.com resolves to the external interface of the firewall on the
companys external DNS server and to the internal interface of the firewall on the company
s internal DNS server.
3. The URL gatewayl.company.com resolves to the external interface of the firewall on the
companys external DNS server and to the internal interface of the firewall on the company
s internal DNS server.
This Gateway configuration will have which two outcomes? Choose 2 answers
A. Clients outside the network will be able to connect to the external gateway Gateway1.
B. Clients inside the network will be able to connect to the internal gateway Gateway1.
C. Clients outside the network will NOT be able to connect to the external gateway
Gateway1.
D. Clients inside the network will NOT be able to connect to the internal gateway
Gateway1.
Answer: A,B
23
Question No : 49
Which of the following describes the sequence of the Global Protect agent connecting to a
Gateway?
A. The Agent connects to the Portal obtains a list of Gateways, and connects to the
Gateway with the fastest SSL response time
B. The agent connects to the closest Gateway and sends the HIP report to the portal
C. The agent connects to the portal, obtains a list of gateways, and connects to the
gateway with the fastest PING response time
D. The agent connects to the portal and randomly establishes a connection to the first
available gateway
Answer: A
Question No : 50
A network administrator uses Panorama to push security policies to managed firewalls at
branch offices.
Which policy type should be configured on Panorama if the administrator wishes to allow
local administrators at the branch office sites to override these policies?
A. Implicit Rules
B. Post Rules
C. Default Rules
D. Pre Rules
Answer: D
Question No : 51
The "Disable Server Return Inspection" option on a security profile:
A. Can only be configured in Tap Mode
24

B. Should only be enabled on security policies allowing traffic to a trusted server.
C. Does not perform higher-level inspection of traffic from the side that originated the TCP
SYN packet
D. Only performs inspection of traffic from the side that originated the TCP SYN-ACK
packet
Answer: B
Question No : 52
What is the default setting for 'Action' in a Decryption Policy's rule?
A. No-decrypt
B. Decrypt
C. Any
D. None
Answer: D
Question No : 53
Which two interface types can be used when configuring GlobalProtect Portal? Choose 2
answers
A. Virtual Wire
B. Loopback
C. Tunnel
D. Layer3
Answer: B,D
Reference: https://www.paloaltonetworks.com/content/dam/paloaltonetworkscom/en_US/assets/pdf/framemaker/61/globalprotect/globalprotect-admin-guide.pdf page
10
Question No : 54
25

The following can be configured as a next hop in a Static Route:
A. A Policy-Based Forwarding Rule
B. Virtual System
C. A Dynamic Routing Protocol
D. Virtual Router
Answer: D
Question No : 55
In order to route traffic between layer 3 interfaces on the PAN firewall you need:
A. VLAN
B. Vwire
C. Security Profile
D. Virtual Router
Answer: A
Question No : 56
Which URL Filtering Security Profile action logs the URL Filtering category to the URL
Filtering log?
A. Allow
B. Alert
C. Log
D. Default
Answer: B
Reference: https://www.paloaltonetworks.com/documentation/61/pan-os/pan-os/urlfiltering/configure-url-filtering.html
Question No : 57
26

When a user logs in via Captive Portal, their user information can be checked against:
B. Security Logs
C. XML API
D. Radius
Answer: D
Question No : 58
When configuring Admin Roles for Web UI access, what are the available access levels?
A. Enable and Disable only
B. None, Superuser, Device Administrator
C. Allow and Deny only
D. Enable, Read-Only and Disable
Answer: D
Question No : 59
Which of the following objects cannot use User-ID as a match criteria?
A. Security Policies
B. QoS
C. Policy Based Forwarding
D. DoS Protection
E. None of the above
Answer: E
Question No : 60
A user is reporting that they cannot download a PDF file from the internet.
Which action will show whether the downloaded file has been blocked by a Security
27

Profile?
A. Filter the Session Browser for all sessions from the user with the application "adobe".
B. Filter the System log for "Download Failed" messages.
C. Filter the Traffic logs for all traffic from the user that resulted in a Deny action.
D. Filter the Data Filtering logs for the users traffic and the name of the PDF file.
Answer: D
Question No : 61
The WildFire Cloud or WF-500 appliance provide information to which two Palo Alto
Networks security services? Choose 2 answers
A. Threat Prevention
B. App-ID
C. URL Filtering
D. PAN-OS
E. GlobalProtect Data File
Answer: A,E
Reference: https://www.paloaltonetworks.com/products/technologies/wildfire.html
Question No : 62
When an interface is in Tap mode and a policy action is set to block, the interface will send
a TCP reset.
A. True
B. False
Answer: B
Question No : 63
28

You have decided to implement a Virtual Wire Subinterface. Which options can be used to
classify traffic?
A. Either VLAN tag or IP address, provided that each tag or ID is contained in the same
zone.
B. Subinterface ID and VLAN tag only
C. By Zone and/or IP Classifier
D. VLAN tag, or VLAN tag plus IP address (IP address, IP range, or subnet).
Answer: D
Question No : 64
What will the user experience when browsing a Blocked hacking website such as
www.2600.com via Google Translator?
A. The URL filtering policy to Block is enforced
B. It will be translated successfully
C. It will be redirected to www.2600.com
D. User will get "HTTP Error 503 - Service unavailable" message
Answer: A
Question No : 65
Palo Alto Networks maintains a dynamic database of malicious domains. Which two
Security Platform components use this database to prevent threats? Choose 2 answers
A. Brute-force signatures
B. DNS-based command-and-control signatures
C. PAN-DB URL Filtering
D. BrightCloud URL Filtering
Answer: B,C
Reference: https://www.paloaltonetworks.com/products/features/apt-prevention.html
29

Question No : 66
Taking into account only the information in the screenshot above, answer the following
question. Which applications will be allowed on their standard ports? (Select all correct
answers.)
A. BitTorrent
B. Gnutella
C. Skype
D. SSH
Answer: A,D
Question No : 67
What is the correct policy to most effectively block Skype?
A. Allow Skype, block Skype-probe
B. Allow Skype-probe, block Skype
C. Block Skype-probe, block Skype
D. Block Skype
Answer: A
Question No : 68
Which one of the options describes the sequence of the GlobalProtect agent connecting to
a Gateway?
A. The agent connects to the portal, obtains a list of the Gateways, and connects to the
Gateway with the fastest SSL connect time
30

B. The agent connects to the portal and randomly establishes connect to the first available
Gateway
C. The agent connects to the portal, obtains a list of the Gateways, and connects to the
Gateway with the fastest PING response time
D. The agent connects to the closest Gateway and sends the HIP report to the portal
Answer: C
Question No : 69
For non-Microsoft clients, what Captive Portal method is supported?
A. NTLM Auth
B. User Agent
C. Local Database
D. Web Form Captive Portal
Answer: D
Question No : 70
A network engineer experienced network reachability problems through the firewall. The
routing table on the device is complex. To troubleshoot the problem the engineer ran a
Command Line Interface (CLI) command to determine the egress interface for traffic
destined to 98.139.183.24. The command resulted in the following output:
How should this output be interpreted?

A. There is no route for the IP address 98.139.183.24, and there is a default route for
outbound traffic.
B. There is no interface in the firewall with the IP address 98.139.183.24.
C. In virtual-router vrl, there is a route in the routing table for the network 98.139.0.0/16.
31

D. There is no route for the IP address 98.139.183.24, and there is no default route.
Answer: D
Question No : 71
In the following display, ethernetl/6 is configured with an interface management profile that
allows ping with no restriction on the source address:
Given the following security policy rule base:
What is the result of a ping sent from an address on the Trust-L3 zone to the IP address of
ethernet1/6?
A. The firewall will send an ICMP redirect message to the client.
B. The client will receive an ICMP "destination unreachable" packet.
C. The interface will respond.
D. The traffic will be dropped by the firewall.
Answer: D
Question No : 72
In PAN-OS 5.0, how is Wildfire enabled?
A. Via the URL-Filtering "Continue" Action
B. Wildfire is automaticaly enabled with a valid URL-Filtering license
C. A custom file blocking action must be enabled for all PDF and PE type files
32

D. Via the "Forward" and "Continue and Forward" File-Blocking actions
Answer: A
Question No : 73
What is the maximum usable storage capacity of an M-100 appliance?
A. 2TB
B. 4TB
C. 6TB
D. STB
Answer: B
Reference:
https://www.paloaltonetworks.com/documentation/61/panorama/panorama_adminguide/set
-up-panorama/set-up-the-m-100-appliance.html
Question No : 74
Traffic going to a public IP address is being translated by your PANW firewall to your web
server's private IP. Which IP should the Security Policy use as the "Destination IP" in order
to allow traffic to the server.
A. The servers public IP
B. The firewalls gateway IP
C. The servers private IP
D. The firewalls MGT IP
Answer: A
Question No : 75
Which fields can be altered in the default Vulnerability profile?
33

A. Severity
B. Category
C. CVE
D. None
Answer: D
Question No : 76
A website is presenting an RSA 2048-bit key. By default, what will the size of the key in the
certificate sent by the firewall to the client be when doing SSL Decryption?
A. 512 bits
B. 1024 bits
C. 2048 bits
D. 4096 bits
Answer: C
Reference: https://www.paloaltonetworks.com/documentation/61/panos/newfeaturesguide/management-features/configurable-key-size-for-ssl-forward-proxyserver-certificates.html
Question No : 77
A "Continue" action can be configured on the following Security Profiles:
A. URL Filtering, File Blocking, and Data Filtering
B. URL Filteringn
C. URL Filtering and Antivirus
D. URL Filtering and File Blocking
Answer: D
Question No : 78
34

What is the size limitation of files manually uploaded to WildFire
A. Configuarable up to 10 megabytes
B. Hard-coded at 10 megabytes
C. Hard-coded at 2 megabytes
D. Configuarable up to 20 megabytes
Answer: A
Question No : 79
With IKE, each device is identified to the other by a Peer ID. In most cases, this is just the
public IP address of the device. In situations where the public ID is not static, this value can
be replaced with a domain name or other text value
A. True
B. False
Answer: A
Question No : 80
To create a custom signature object for an Application Override Policy, which of the
following fields are mandatory?
A. Category
B. Regular Expressions
C. Ports
D. Characteristics
Answer: D
Match the components with their role in preventing threats.
Answer options may be used more than once or not at all.
35
Answer:
Question No : 82
Which method is the most efficient for determining which administrator made a specific
36

change to the running config?
A. In the Configuration log, set a filter for the edit command and look for the object that was
changed.
B. In the System log, set a filter for the name of the object that was changed.
C. In Config Audit, compare the current running config to all of the saved configurations
until the change is found.
D. In Config Audit, compare the current running config to previous committed versions until
the change is found.
Answer: B
Question No : 83
What option should be configured when using User-ID
A. Enable User-ID per zone
B. Enable User-ID per interface
C. Enable User-ID per Security Policy
Answer: C
Question No : 84
What built-in administrator role allows all rights except for the creation of administrative
accounts and virtual systems?
A. superuser
B. vsysadmin
C. A custom role is required for this level of access
D. deviceadmin
Answer: D
Question No : 85
37

Ethernet 1/1 has been configured with the following subinterfaces:
The following security policy is applied:
The Interface Management Profile permits the following:
Your customer is trying to ping 10.10.10.1 from VLAN 800 IP 10.10.10.2/24
38

What will be the result of this ping?
A. The ping will be successful because the management profile applied to Ethernet1/1
allows ping.
B. The ping will not be successful because the virtual router is different from the other
subinterfaces.
C. The ping will not be successful because there is no management profile attached to
Ethernet1/1.799.
D. The ping will not be successful because the security policy does not apply to VLAN 800.
E. The ping will be successful because the security policy permits this traffic.
Answer: D
Question No : 86
Which mechanism is used to trigger a High Availability (HA) failover if a firewall interface
goes down?
A. Link Monitoring
B. Heartbeat Polling
C. Preemption
D. SNMP Polling
Answer: A
Reference: https://www.paloaltonetworks.com/content/dam/paloaltonetworkscom/en_US/assets/pdf/framemaker/60/pan-os/pan-os/section_4.pdf page 130
Question No : 87
A security engineer has been asked by management to optimize how Palo Alto Networks
firewall syslog messages are forwarded to a syslog receiver. There are currently 20 PA5060 s, each of which is configured to forward syslogs individually.
The security engineer would like to leverage their two M-100 appliances to send syslog
messages from a single source and has already deployed one in Panorama mode and the
other as a Log Collector.
39

What is the remaining step in implementing this solution?
A. Configure Collector Log Forwarding
B. Configure a Syslog Proxy Profile
C. Configure a Panorama Log Forwarding Profile
D. Enable Syslog Aggregation
Answer: A
Question No : 88
What are two sources of information for determining if the firewall has been successful in
communicating with an external User-ID Agent?
A. System Logs and the indicator light under the User-ID Agent settings in the firewall
B. There's only one location - System Logs
C. There's only one location - Traffic Logs
D. System Logs and indicator light on the chassis
Answer: A
Assuming that the default antivirus profile is installed, match each decoder with its default
action.
40
Answer:
41
Question No : 90
A company has a web server behind their Palo Alto Networks firewall that they would like to
make accessible to the public. They have decided to configure a destination NAT Policy
rule.
Given the following zone information:
DMZzone: DMZ-L3
Public zone: Untrust-L3
Web server zone: Trust-L3
Public IP address (Untrust-L3): 1.1.1.1
Private IP address (Trust-L3): 192.168.1.50
42

What should be configured as the destination zone on the Original Packet tab of the NAT
Policy rule?
A. DMZ-L3
B. Any
C. Untrust-L3
D. Trust-L3
Answer: C
Question No : 91
What is the default DNS Sinkhole address used by Palo Alto Networks Firewall to cut off
communication?
A. MGT interface address
B. Loopback interface address
C. Any one Layer 3 interface address
D. Localhost address
Answer: B
Question No : 92
When troubleshooting Phase 1 of an IPSec VPN tunnel, what location will have the most
informative logs?
A. Responding side, Traffic Logs
B. Initiating side, Traffic Logs
C. Responding side, System Logs
D. Initiating side, System Logs
Answer: C
Question No : 93
Which three inspections can be performed with a next-generation firewall but NOT with a
43

legacy firewall? Choose 3 answers
A. Recognizing when SSH sessions are using SSH v1 instead of SSH v2
B. Validating that UDP port 53 packets are not being used to tunnel data for another
protocol
C. Identifying unauthorized applications that attempt to connect over non-standard ports
D. Allowing a packet through from an external DNS server only if an internal host recently
queried that DNS server
E. Removing from the session table any TCP session without traffic for 3600 seconds
Answer: B,C,D
Question No : 94
Which link is used by an Active-Passive cluster to synchronize session information?
A. The Data Link
B. The Control Link
C. The Uplink
D. The Management Link
Answer: A
Question No : 95
Which option allows an administrator to segrate Panorama and Syslog traffic, so that the
Management Interface is not employed when sending these types of traffic?
A. Custom entries in the Virtual Router, pointing to the IP addresses of the Panorama and
Syslog devices.
B. Define a Loopback interface for the Panorama and Syslog Devices
C. On the Device tab in the Web UI, create custom server profiles for Syslog and
Panorama
D. Service Route Configuration
Answer: D
Question No : 96
44

What will the user experience when attempting to access a blocked hacking website
through a translation service such as Google Translate or Bing Translator?
A. A Blocked page response when the URL filtering policy to block is enforced.
B. A Success page response when the site is successfully translated.
C. The browser will be redirected to the original website address.
D. An "HTTP Error 503 Service unavailable" message.
Answer: A
Question No : 97
By default, all PA-5060 syslog data is forwarded out the Management interface. What
needs to be configured in order to send syslog data out of a different interface?
A. Configure Service Route Only for Threats and URL Filtering, and the traffic will use the
same route.
B. Configure an Interface Management Profile and apply it to the interface that the syslogs
will be sent through.
C. Configure a Service Route for the Syslog service to use a dataplane interface.
D. Create a Log-Forwarding Profile that points to the device that will receive the syslogs.
Answer: C
Reference: https://www.paloaltonetworks.com/documentation/60/pan-os/pan-os/reportsand-logging/define-remote-logging-destinations.html
Question No : 98
A company has a policy that denies all applications they classify as bad and permits only
applications they classify as good. The firewall administrator created the following security
policy on the company s firewall:
45

Which two benefits are gained from having both rule 2 and rule 3 present? Choose 2
answers
A. Different security profiles can be applied to traffic matching rules 2 and 3.
B. Separate Log Forwarding profiles can be applied to rules 2 and 3.
C. Rule 2 denies traffic flowing across different TCP and UDP ports than rule 3.
D. A report can be created that identifies unclassified traffic on the network.
Answer: A,D
Question No : 99
Which of the following options may be enabled to reduce system overhead when using
Content ID?
A. STP
B. VRRP
C. RSTP
D. DSRI
Answer: D
Question No : 100
The "Drive-By Download" protection feature, under File Blocking profiles in Content-ID,
provides:
A. Password-protected access to specific file downloads, for authorized users increased
speed on the downloads of the allowed file types
B. Protection against unwanted downloads, by alerting the user with a response page
indicating that file is going to be downloaded
C. The Administrator the ability to leverage Authentication Profiles in order to protect
against unwanted downloads
Answer: C
Question No : 101
46

When configuring a Decryption Policy, which of the following are available as matching
criteria in a policy? (Choose 3)
A. Source Zone
B. Source User
C. Service
D. URL-Category
E. Application
Answer: A,B,D
Question No : 102
Which authentication method can provide role-based administrative access to firewalls
running PAN-OS?
A. LDAP
B. Certificate-based authentication
C. Kerberos
D. RADIUS with Vendor Specific Attributes
Answer: D
Question No : 103
A company is in the process of upgrading their existing Palo Alto Networks firewalls from
version 6.1.0 to 6.1.1.
Which three methods can the firewall administrator use to install PAN-OS 6.1.1 across the
enterprise? Choose 3 answers
A. Push the PAN-OS 6.1.1 updates from the support site to install on each firewall.
B. Download PAN-OS 6.1.1 files from the support site and install them on each firewall
after manually uploading.
C. Download PAN-OS 6.1.1 to a USB drive and the firewall will automatically update after
the USB drive is inserted in the firewall.
D. Push the PAN-OS 6.1.1 update from one firewall to all of the other remaining after
updating one firewall.
E. Download and push PAN-OS 6.1.1 from Panorama to each firewall.
47

F. Download and install PAN-OS 6.1.1 directly on each firewall.
Answer: B,E,F
Question No : 104
How do you limit the amount of information recorded in the URL Content Filtering Logs?
A. Enable DSRI
B. Disable URL packet captures
C. Enable URL log caching
D. Enable Log container page only
Answer: D
Question No : 105
In PAN-OS 6.0, rule numbers were introduced. Rule Numbers are:
A. Dynamic numbers that refer to a security policys order and are especially useful when
filtering security policies by tags
B. Numbers referring to when the security policy was created and do not have a bearing on
the order of policy enforcement
C. Static numbers that must be manually re-numbered whenever a new security policy is
added
Answer: A
Question No : 106
Which mode will allow a user to choose how they wish to connect to the GlobalProtect
Network as they would like?
A. Single Sign-On Mode
48

B. On Demand Mode
C. Always On Mode
D. Optional Mode
Answer: B
Question No : 107
A local/enterprise PKI system is required to deploy outbound forward proxy SSL decryption
capabilities.
A. True
B. False
Answer: B
Question No : 108
Which Public Key Infrastructure component is used to authenticate users for GlobalProtect
when the Connect Method is set to "pre-logon"?
A. Certificate Revocation List
B. Trusted root certificate
C. Machine certificate
D. Online Certificate Status Protocol
Answer: C
Reference: https://www.paloaltonetworks.com/content/dam/paloaltonetworkscom/en_US/assets/pdf/framemaker/60/globalprotect/Global_Protect_6.0.pdf page 12.
Question No : 109
A company wants to run their pair of PA-200 firewalls in a High Availability Active/Passive
configuration and will be using HA-Lite.
49

Which capability can be used in this situation?
A. Configuration Sync
B. Link Aggregation
C. Session Sync
D. Jumbo Frames
Answer: A
Question No : 110
When configuring Security rules based on FQDN objects, which of the following statements
are true?
A. The firewall resolves the FQDN first when the policy is committed, and is refreshed each
time Security rules are evaluated.
B. The firewall resolves the FQDN first when the policy is committed, and is refreshed at
TTL expiration. There is no limit on the number of IP addresses stored for each resolved
FQDN.
C. In order to create FQDN-based objects, you need to manually define a list of associated
IP. Up to 10 IP addresses can be configured for each FQDN entry.
D. The firewall resolves the FQDN first when the policy is committed, and is refreshed at
TTL expiration. The resolution of this FQDN stores up to 10 different IP addresses.
Answer: C
Question No : 111
Which routing protocol is supported on the Palo Alto Networks platform?
A. BGP
B. RSTP
C. ISIS
D. RIPv1
Answer: A
50
Question No : 112
Which two statements are true about DoS Protection Profiles and Policies? Choose 2
answers
A. They mitigate against SYN, UDP, ICMP, ICMPv6, and other IP Flood attacks on a zone
basis, regardless of interface(s). They provide reconnaissance protection against TCP/UDP
port scans and host sweeps.
B. They mitigate against SYN, UDP, ICMP, ICMPv6, and other IP Flood attacks. They
provide resource protection by limiting the number of sessions that can be used.
C. They mitigate against volumetric attacks that leverage known vulnerabilities, brute force
methods, amplification, spoofing, and other vulnerabilities.
D. They mitigate against SYN, UDP, ICMP, ICMPv6, and other IP Flood attacks by utilizing
"random early drop".
Answer: B,D
Reference: https://live.paloaltonetworks.com/servlet/JiveServlet/previewBody/7158-102-325328/Application%20DDoS%20Mitigation.pdf page 4
Question No : 113
To properly configure DOS protection to limit the number of sessions individually from
specific source IPs you would configure a DOS Protection rule with the following
characteristics:
A. Action: Protect, Classified Profile with "Resources Protection" configured, and Classified
Address with "source-ip-only" configured
B. Action: Deny, Aggregate Profile with "Resources Protection" configured
C. Action: Protect, Aggregate Profile with "Resources Protection" configured
D. Action: Deny, Classified Profile with "Resources Protection" configured, and Classified
Address with "source-ip-only" configured
Answer: A
Question No : 114
51

When using Config Audit, the color yellow indicates which of the following?
A. A setting has been changed between the two config files
B. A setting has been deleted from a config file.
C. A setting has been added to a config file
D. An invalid value has been used in a config file.
Answer: C
Question No : 115
An Outbound SSL forward-proxy decryption rule cannot be created using which type of
zone?
A. Virtual Wire
B. Tap
C. L3
D. L2
Answer: A
Question No : 116
A security architect has been asked to implement User-ID in a MacOS environment with no
enterprise email, using a Sun LDAP server for user authentication.
In this environment, which two User-ID methods are effective for mapping users to IP
addresses? Choose 2 answers
B. Mac OS Agent
C. Captive Portal
D. GlobalProtect
Answer: C,D
Question No : 117
52

When employing the BrightCloud URL filtering database in a Palo Alto Networks firewall,
the order of evaluation within a profile is:
A. Block list, Custom Categories, Predefined categories, Dynamic URL filtering, Allow list,
Cache files.
B. Block list, Allow list, Custom Categories, Cache files, Local URL DB file.
C. Block list, Custom Categories, Cache files, Predefined categories, Dynamic URL
filtering, Allow list.
D. Dynamic URL filtering, Block list, Allow list, Cache files, Custom categories, Predefined
categories.
Answer: A
Question No : 118
In PANOS 6.0, rule numbers are:
A. Numbers that specify the order in which security policies are evaluated.
B. Numbers created to be unique identifiers in each firewalls policy database.
C. Numbers on a scale of 0 to 99 that specify priorities when two or more rules are in
conflict.
D. Numbers created to make it easier for users to discuss a complicated or difficult
sequence of rules.
Answer: A

Match the description of an application field with its name.
53
Answer:
Question No : 120
Which of the Dynamic Updates listed below are issued on a daily basis?
A. Global Protect
B. URL Filtering
C. Antivirus
D. Applications and Threats
54

Answer: B,C
Question No : 121
What is a prerequisite for configuring a pair of Palo Alto Networks firewalls in an
Active/Passive High Availability (HA) pair?
A. The peer HA1 IP address must be the same on both firewalls.
B. The management interfaces must be on the same network.
C. The firewalls must have the same set of licenses.
D. The HA interfaces must be directly connected to each other.
Answer: C
Question No : 122
Both SSL decryption and SSH decryption are disabled by default.
A. True
B. False
Answer: A
Question No : 123
Where can the maximum concurrent SSL VPN Tunnels be set for Vsys2 when provisioning
a Palo Alto Networks firewall for multiple virtual systems?
A. In the GUI under Network->Global Protect->Gateway->Vsys2
B. In the GUI under Device->Setup->Session->Session Settings
C. In the GUI under Device->Virtual Systems->Vsys2->Resource
D. In the GUI under Network->Global Protect->Portal->Vsys2
55

Answer: C
Reference: https://www.paloaltonetworks.com/content/dam/paloaltonetworkscom/en_US/assets/pdf/tech-briefs/virtual-systems.pdf page 6
Question No : 124
When allowing an Application in a Security policy on a PAN-OS 5.0 device, would a
dependency Application need to also be enabled if the application does not employ HTTP,
SSL, MSRPC, RPC, t.120, RTSP, RTMP, and NETBIOS-SS.
A. Yes
B. No
Answer: A
Question No : 125
Palo Alto Networks firewalls support the use of both Dynamic (built-in user roles) and RoleBased (customized user roles)
A. True
B. False
Answer: A
Question No : 126
Which fields can be altered in the default Vulnerability Protection Profile?
A. Category
B. Severity
C. None
Answer: C
56
Question No : 127
Which of the following types of protection are available in DoS policy?
A. Session Limit, SYN Flood, UDP Flood
B. Session Limit, Port Scanning, Host Swapping, UDP Flood
C. Session Limit, SYN Flood, Host Swapping, UDP Flood
D. Session Limit, SYN Flood, Port Scanning, Host Swapping
Answer: A
Question No : 128
Select the implicit rules enforced on traffic failing to match any user defined Security
Policies:
A. Intra-zone traffic is denied
B. Inter-zone traffic is denied
C. Intra-zone traffic is allowed
D. Inter-zone traffic is allowed
Answer: B,C
Question No : 129
In PAN-OS 5.0, which of the following features is supported with regards to IPv6?
A. OSPF
B. NAT64
C. IPSec VPN tunnels
Answer: B
57

Question No : 130
Which of the following is NOT a valid option for built-in CLI access roles?
A. read/write
B. superusers
C. vsysadmin
D. deviceadmin
Answer: A
Question No : 131
Which of the following interfaces types will have a MAC address?
A. Layer 3
B. Tap
C. Vwire
D. Layer 2
Answer: D
Question No : 132
Given the following routing table:
Which configuration change on the firewall would cause it to use 10.66.24.88 as the
58

nexthop for the 192.168.93.0/30 network?
A. Configuring the Administrative Distance for RIP to be higher than that of OSPF Ext
B. Configuring the metric for RIP to be higher than that of OSPF Int
C. Configuring the metric for RIP to be lower than that of OSPF Ext
D. Configuring the Administrative Distance for RIP to be lower than that of OSPF Int
Answer: D
Reference: https://live.paloaltonetworks.com/servlet/JiveServlet/previewBody/5284-102-317278/Route%20Redistribution%20and%20Filtering%20TechNote%20-%20Rev%20B.pdf
Question No : 133
What is the name of the debug save file for IPSec VPN tunnels?
A. set vpn all up
B. test vpn ike-sa
C. request vpn IPsec-sa test
D. Ikemgr.pcap
Answer: D
Question No : 134
Which of the following fields is not available in DoS policy?
A. Destination Zone
B. Source Zone
C. Application
D. Service
Answer: C
Question No : 135
59

Which of the following are methods HA clusters use to identify network outages?
A. Path and Link Monitoring
B. VR and VSys Monitors
C. Heartbeat and Session Monitors
D. Link and Session Monitors
Answer: A
Question No : 136
Will an exported configuration contain Management Interface settings?
A. Yes
B. No
Answer: A
Question No : 137
What has happened when the traffic log shows an internal host attempting to open a
session to a properly configured sinkhole address?
A. The internal host is trying to resolve a DNS query by connecting to a rogue DNS server.
B. The internal host attempted to use DNS to resolve a known malicious domain into an IP
address.
C. A rogue DNS server is now using the sinkhole address to direct traffic to a known
malicious domain.
D. A malicious domain is trying to contact an internal DNS server.
Answer: B
Reference: https://www.paloaltonetworks.jp/content/dam/paloaltonetworkscom/en_US/assets/pdf/framemaker/pan-os/NewFeaturesGuide.pdf page 14
60

Match each type of report provided by the firewall with its description.
Answer:
61
Question No : 139
As the Palo Alto Networks administrator, you have enabled Application Block pages.
Afterward, some users do not receive web-based feedback for all denied applications. Why
would this be?
A. Some users are accessing the Palo Alto Networks firewall through a virtual system that
does not have Application Block pages enabled.
B. Application Block Pages will only be displayed when Captive Portal is configured
C. Some Application ID's are set with a Session Timeout value that is too low.
D. Application Block Pages will only be displayed when users attempt to access a denied
web-based application.
62

Answer: D
Question No : 140
When Destination Network Address Translation is being performed, the destination in the
corresponding Security Policy Rule should use:
A. The PostNAT destination zone and PostNAT IP address.
B. The PreNAT destination zone and PreNAT IP address.
C. The PreNAT destination zone and PostNAT IP address.
D. The PostNAT destination zone and PreNAT IP address.
Answer: D
Question No : 141
When a Palo Alto Networks firewall is forwarding traffic through interfaces configured for L2
mode, security policies can be set to match on multicast IP addresses.
A. True
B. False
Answer: B
Question No : 142
A firewall is being attacked with a port scan. Which component can prevent this attack?
A. DoS Protection
B. Anti-Spyware
C. Vulnerability Protection
D. Zone Protection
Answer: D
63
Question No : 143
How is the Forward Untrust Certificate used?
A. It issues certificates encountered on the Untrust security zone.
B. It is used for Captive Portal to identify unknown users.
C. It is used when web servers request a client certificate.
D. It is the issuer for an external certificate which is not trusted by the firewall.
Answer: D
Question No : 144
A hotel chain is using a system to centrally control a variety of items in guest rooms. The
client devices in each guest room communicate to the central controller using TCP and
frequently disconnect due to a premature timeouts when going through a Palo Alto
Networks firewall.
Which action will address this issue without affecting all TCP traffic traversing the firewall?
A. Create a security policy without security profiles, allowing the client-to-server traffic.
B. Create an application override policy, assigning the client-to-server traffic to a custom
application.
C. Create an application with a specified TCP timeout and assign traffic to it with an
application override policy.
D. Create an application override policy, assigning the server-to-client traffic to a custom
application.
Answer: C
Question No : 145
You are configuring a File Blocking Profile to be applied to all outbound traffic uploading a
specific file type, and there is a specific application that you want to match in the policy.
64

What are three valid actions that can be set when the specified file is detected? Choose 3
answers
A. Reset-both
B. Block
C. Continue
D. Continue-and-forward
E. Upload
Answer: B,C,D
Question No : 146
Youd like to schedule a firewall policy to only allow a certain application during a particular
time of day. Where can this policy option be configured?
A. Policies > Security > Service
B. Policies > Security > Options
C. Policies > Security > Application
D. Policies > Security > Profile
Answer: D
Question No : 147
When employing the Brightcloud URL filtering database on the Palo Alto Networks
firewalls, the order of checking within a profile is:
A. Block List, Allow List, Custom Categories, Cache Files, Predefined Categories, Dynamic
URL Filtering
B. Block List, Allow List, Cache Files, Custom Categories, Predefined Categories, Dynamic
URL Filtering
C. Dynamic URL Filtering, Block List, Allow List, Cache Files, Custom Categories,
Predefined Categories
65

Answer: A
Question No : 148
Which source address translation type will allow multiple devices to share a single
translated source address while using a single NAT Policy rule?
A. Dynamic IP and Port
B. Dynamic IP
C. Bi-directional
D. Static IP
Answer: A
Reference: https://www.paloaltonetworks.com/documentation/61/pan-os/panos/networking/nat.html
Question No : 149
A user complains that they are no longer able to access a needed work application after
you have implemented vulnerability and anti-spyware profiles. The user's application uses
a unique port. What is the most efficient way to allow the user access to this application?
A. Utilize an Application Override Rule, referencing the custom port utilzed by this
application. Application Override rules bypass all Layer 7 inspection, thereby allowing
access to this application.
B. In the Threat log, locate the event which is blocking access to the user's application and
create a IP-based exemption for this user.
C. In the vulnerability and anti-spyware profiles, create an application exemption for the
user's application.
D. Create a custom Security rule for this user to access the required application. Do not
apply vulnerability and anti-spyware profiles to this rule.
Answer: B
Question No : 150
66

Which two interface types provide support for network address translation (NAT)? Choose
2 answers
A. HA
B. Tap
C. Layer3
D. Virtual Wire
E. Layer2
Answer: C,D
Reference: https://live.paloaltonetworks.com/servlet/JiveServlet/previewBody/1517-102-711647/Understanding_NAT-4.1-RevC.pdf
Question No : 151
Which Security Policy rule configuration option disables antivirus and anti-spyware
scanning of server-to-client flows only?
A. Apply an Application Override Policy
B. Disable Server Response Inspection
C. Add server IP to Security Policy exception
D. Disable HIP Profile
Answer: B
Reference: https://www.paloaltonetworks.com/documentation/61/pan-os/pan-os/gettingstarted/set-up-basic-security-policies.html
Question No : 152
What are the benefits gained when the "Enable Passive DNS Monitoring" checkbox is
chosen on the firewall? (Select all correct answers.)
A. Improved DNSbased C&C signatures.

B. Improved PANDB malware detection.
67

C. Improved BrightCloud malware detection.
D. Improved malware detection in WildFire.
Answer: A,B,D

Within a Zone Protection Profile, under the Reconnaissance Protection tab, there are
several possible values for Action:
Match each Reconnaissance Protection Action to its description.

68
Answer:
69
70

Paloalto Networks PCNSE6

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Paloalto Networks PCNSE6

Uploaded by

Copyright:

Available Formats

s@lm@n

[ Total Questions: 153 ]

Paloalto Networks PCNSE6 : Practice Test

A Composite Solution With Just One Click - Certification Guaranteed

Paloalto Networks PCNSE6 : Practice Test

A Composite Solution With Just One Click - Certification Guaranteed

Paloalto Networks PCNSE6 : Practice Test

A Composite Solution With Just One Click - Certification Guaranteed

Paloalto Networks PCNSE6 : Practice Test

Users outside the company are in the "Untrust-L3" zone.

A Composite Solution With Just One Click - Certification Guaranteed

Paloalto Networks PCNSE6 : Practice Test

A Composite Solution With Just One Click - Certification Guaranteed

Paloalto Networks PCNSE6 : Practice Test

A Composite Solution With Just One Click - Certification Guaranteed

Paloalto Networks PCNSE6 : Practice Test

Paloalto Networks PCNSE6 : Practice Test

A Composite Solution With Just One Click - Certification Guaranteed

Paloalto Networks PCNSE6 : Practice Test

A Composite Solution With Just One Click - Certification Guaranteed

Paloalto Networks PCNSE6 : Practice Test

A Composite Solution With Just One Click - Certification Guaranteed

Paloalto Networks PCNSE6 : Practice Test

A Composite Solution With Just One Click - Certification Guaranteed

Paloalto Networks PCNSE6 : Practice Test

A Composite Solution With Just One Click - Certification Guaranteed

Paloalto Networks PCNSE6 : Practice Test

The routing table of the firewall shows the following output:

A Composite Solution With Just One Click - Certification Guaranteed

Paloalto Networks PCNSE6 : Practice Test

Paloalto Networks PCNSE6 : Practice Test

Paloalto Networks PCNSE6 : Practice Test

A Composite Solution With Just One Click - Certification Guaranteed

Paloalto Networks PCNSE6 : Practice Test

A Composite Solution With Just One Click - Certification Guaranteed

Paloalto Networks PCNSE6 : Practice Test

A Composite Solution With Just One Click - Certification Guaranteed

Paloalto Networks PCNSE6 : Practice Test

A Composite Solution With Just One Click - Certification Guaranteed

Paloalto Networks PCNSE6 : Practice Test

A Composite Solution With Just One Click - Certification Guaranteed

Paloalto Networks PCNSE6 : Practice Test

A Composite Solution With Just One Click - Certification Guaranteed

Paloalto Networks PCNSE6 : Practice Test

Assume the following:

A Composite Solution With Just One Click - Certification Guaranteed

Paloalto Networks PCNSE6 : Practice Test

A Composite Solution With Just One Click - Certification Guaranteed

Paloalto Networks PCNSE6 : Practice Test

A Composite Solution With Just One Click - Certification Guaranteed

Paloalto Networks PCNSE6 : Practice Test

Paloalto Networks PCNSE6 : Practice Test

Paloalto Networks PCNSE6 : Practice Test

A Composite Solution With Just One Click - Certification Guaranteed

Paloalto Networks PCNSE6 : Practice Test

A Composite Solution With Just One Click - Certification Guaranteed

Paloalto Networks PCNSE6 : Practice Test

Paloalto Networks PCNSE6 : Practice Test

How should this output be interpreted?

Paloalto Networks PCNSE6 : Practice Test

Given the following security policy rule base:

Paloalto Networks PCNSE6 : Practice Test

A Composite Solution With Just One Click - Certification Guaranteed

Paloalto Networks PCNSE6 : Practice Test