PCNSE Study Guide Questions
Which component of the integrated Palo Alto Networks security solution limits network-
attached workstation access to a corporate mainframe?
threat intelligence cloud
advanced endpoint protection
next-generation firewall
tunnel inspection - ✔✔C - NGFW
Which Palo Alto Networks product is designed primarily to provide threat context with
deeper information about attacks?
RedLock
WildFire
AutoFocus
Threat Prevention - ✔✔C - AutoFocus
Which Palo Alto Networks product is designed primarily to provide normalization of
threat intelligence feeds with the potential for automated response?
MineMeld
WildFire
AutoFocus
Threat Prevention - ✔✔A - MineMeld
Which Palo Alto Networks product is designed primarily to prevent endpoints from
successfully running malware programs?
A. GlobalProtect
B. Magnifier
C. Traps
D. RedLock - ✔✔C. Traps
The Palo Alto Networks Cortex Data Lake can accept logging data from which two
products? (Choose two.)
Traps
next-generation firewalls
Aperture
MineMeld
,PCNSE Study Guide Questions
AutoFocus - ✔✔A. Traps
B. next-generation firewalls
Which Palo Alto Networks product is a cloud-based storage service designed to hold log
information?
RedLock
Traps
next-generation firewall
Cortex Data Lake - ✔✔D. Cortex Data Lake
Which product is an example of an application designed to analyze Cortex Data Lake
information?
Cortex XDR - Analytics
RedLock
Cortex XDR - Automated
Response
AutoFocus - ✔✔A. Cortex XDR - Analytics
A potential customer says it wants to maximize the threat detection capability of its next-
generation firewall. Which three additional services should it consider implementing to
enhance its firewall's capability to detect threats? (Choose three.)
Traps
WildFire
URL Filtering
Expedition
DNS Security - ✔✔WildFire
URL Filtering
DNS Security
A VM-Series virtual firewall differs from a physical Palo Alto Networks firewall in which
way?
A VM-Series firewall cannot be managed by Panorama.
A VM-Series firewall supports fewer traffic interface types.
A VM-Series firewall cannot terminate VPN site-to-site tunnels.
,PCNSE Study Guide Questions
A VM-Series firewall cannot use dynamic routing protocols. - ✔✔A VM-Series firewall
supports fewer traffic interface types.
Which product would best secure east-west traffic within a public cloud implementation?
A. RedLock
B. MineMeld
C. VM-Series firewall
D. Cortex - ✔✔C. VM-Series firewall
Why would you recommend an active/active firewall cluster instead of an active/passive
firewall cluster?
A. Active/active is the preferred solution when the firewall cluster is behind a load
balancer that randomizes routing, thus requiring both firewalls to be active.
B. Active/active usually is the preferred solution because it allows for more bandwidth
while both firewalls are up.
C. Active/active is the preferred solution when the PA-7000 Series is used. Use
active/passive with the PA-5200 Series or smaller form factors.
D. Active/active is the preferred solution when the PA-5200 Series or smaller form
factors are used. Use active/passive with the PA-7000 Series. - ✔✔Active/active is the
preferred solution when the firewall cluster is behind a load balancer that randomizes
routing, thus requiring both firewalls to be active.
Which two events can trigger an HA pair failover event? (Choose two.)
A. An HA1 cable is disconnected from one of the firewalls.
B. A dynamic update fails to download and install.
C. The firewall fails to ping a path-monitored destination address successfully.
D. OSPF implemented on the firewall determines that an available route is now down.
E. RIP implemented on the firewall determines that an available route is now down. - ✔
✔A. An HA1 cable is disconnected from one of the firewalls.
C. The firewall fails to ping a path-monitored destination address successfully.
Which two firewall features support floating IP addresses in an active/active HA pair?
(Choose
, PCNSE Study Guide Questions
two.)
data-plane traffic interfaces
source NAT
VPN endpoints
loopback interfaces
management port - ✔✔source NAT
VPN endpoints
How are firewalls configured in an Active/Passive HA pair synchronized if the firewalls
are not under Panorama control?
An administrator commits the changes to one, then commits them to the partner, at
which time the changes are sent to the other.
An administrator pushes the configuration file to both firewalls, then commits them.
An administrator commits changes to one, which automatically synchronizes with the
other.
An administrator schedules an automatic sync frequency in the firewall configurations. -
✔✔An administrator commits changes to one, which automatically synchronizes with
the other.
In which two ways is an active/passive HA pair configured in a virtual firewall deployed
in any
public clouds? (Choose two.)
The virtual firewalls are deployed in a cloud "scale set" with a cloud-supplied load
balancer in front to detect and manage failover.
The virtual firewalls rely on a VM-Series plugin to map appropriate cloud functions to the
firewall's HA settings.
Virtual firewalls use PAN-OS HA configuration combined with appropriate cloud
deployments of interfaces for HA use.
The virtual firewalls use an HA Compatibility module for the appropriate cloud
technology - ✔✔The virtual firewalls are deployed in a cloud "scale set" with a cloud-
supplied load balancer in front to detect and manage failover.
The virtual firewalls rely on a VM-Series plugin to map appropriate cloud functions to the
firewall's HA settings.
Which component of the integrated Palo Alto Networks security solution limits network-
attached workstation access to a corporate mainframe?
threat intelligence cloud
advanced endpoint protection
next-generation firewall
tunnel inspection - ✔✔C - NGFW
Which Palo Alto Networks product is designed primarily to provide threat context with
deeper information about attacks?
RedLock
WildFire
AutoFocus
Threat Prevention - ✔✔C - AutoFocus
Which Palo Alto Networks product is designed primarily to provide normalization of
threat intelligence feeds with the potential for automated response?
MineMeld
WildFire
AutoFocus
Threat Prevention - ✔✔A - MineMeld
Which Palo Alto Networks product is designed primarily to prevent endpoints from
successfully running malware programs?
A. GlobalProtect
B. Magnifier
C. Traps
D. RedLock - ✔✔C. Traps
The Palo Alto Networks Cortex Data Lake can accept logging data from which two
products? (Choose two.)
Traps
next-generation firewalls
Aperture
MineMeld
,PCNSE Study Guide Questions
AutoFocus - ✔✔A. Traps
B. next-generation firewalls
Which Palo Alto Networks product is a cloud-based storage service designed to hold log
information?
RedLock
Traps
next-generation firewall
Cortex Data Lake - ✔✔D. Cortex Data Lake
Which product is an example of an application designed to analyze Cortex Data Lake
information?
Cortex XDR - Analytics
RedLock
Cortex XDR - Automated
Response
AutoFocus - ✔✔A. Cortex XDR - Analytics
A potential customer says it wants to maximize the threat detection capability of its next-
generation firewall. Which three additional services should it consider implementing to
enhance its firewall's capability to detect threats? (Choose three.)
Traps
WildFire
URL Filtering
Expedition
DNS Security - ✔✔WildFire
URL Filtering
DNS Security
A VM-Series virtual firewall differs from a physical Palo Alto Networks firewall in which
way?
A VM-Series firewall cannot be managed by Panorama.
A VM-Series firewall supports fewer traffic interface types.
A VM-Series firewall cannot terminate VPN site-to-site tunnels.
,PCNSE Study Guide Questions
A VM-Series firewall cannot use dynamic routing protocols. - ✔✔A VM-Series firewall
supports fewer traffic interface types.
Which product would best secure east-west traffic within a public cloud implementation?
A. RedLock
B. MineMeld
C. VM-Series firewall
D. Cortex - ✔✔C. VM-Series firewall
Why would you recommend an active/active firewall cluster instead of an active/passive
firewall cluster?
A. Active/active is the preferred solution when the firewall cluster is behind a load
balancer that randomizes routing, thus requiring both firewalls to be active.
B. Active/active usually is the preferred solution because it allows for more bandwidth
while both firewalls are up.
C. Active/active is the preferred solution when the PA-7000 Series is used. Use
active/passive with the PA-5200 Series or smaller form factors.
D. Active/active is the preferred solution when the PA-5200 Series or smaller form
factors are used. Use active/passive with the PA-7000 Series. - ✔✔Active/active is the
preferred solution when the firewall cluster is behind a load balancer that randomizes
routing, thus requiring both firewalls to be active.
Which two events can trigger an HA pair failover event? (Choose two.)
A. An HA1 cable is disconnected from one of the firewalls.
B. A dynamic update fails to download and install.
C. The firewall fails to ping a path-monitored destination address successfully.
D. OSPF implemented on the firewall determines that an available route is now down.
E. RIP implemented on the firewall determines that an available route is now down. - ✔
✔A. An HA1 cable is disconnected from one of the firewalls.
C. The firewall fails to ping a path-monitored destination address successfully.
Which two firewall features support floating IP addresses in an active/active HA pair?
(Choose
, PCNSE Study Guide Questions
two.)
data-plane traffic interfaces
source NAT
VPN endpoints
loopback interfaces
management port - ✔✔source NAT
VPN endpoints
How are firewalls configured in an Active/Passive HA pair synchronized if the firewalls
are not under Panorama control?
An administrator commits the changes to one, then commits them to the partner, at
which time the changes are sent to the other.
An administrator pushes the configuration file to both firewalls, then commits them.
An administrator commits changes to one, which automatically synchronizes with the
other.
An administrator schedules an automatic sync frequency in the firewall configurations. -
✔✔An administrator commits changes to one, which automatically synchronizes with
the other.
In which two ways is an active/passive HA pair configured in a virtual firewall deployed
in any
public clouds? (Choose two.)
The virtual firewalls are deployed in a cloud "scale set" with a cloud-supplied load
balancer in front to detect and manage failover.
The virtual firewalls rely on a VM-Series plugin to map appropriate cloud functions to the
firewall's HA settings.
Virtual firewalls use PAN-OS HA configuration combined with appropriate cloud
deployments of interfaces for HA use.
The virtual firewalls use an HA Compatibility module for the appropriate cloud
technology - ✔✔The virtual firewalls are deployed in a cloud "scale set" with a cloud-
supplied load balancer in front to detect and manage failover.
The virtual firewalls rely on a VM-Series plugin to map appropriate cloud functions to the
firewall's HA settings.
