Palo Alto Networks Palo Alto Certifications and Accreditations PCNSE Questions & Answers

• Question 1:

  When configuring a GlobalProtect Portal, what is the purpose of specifying an Authentication Profile?

  A. To enable Gateway authentication to the Portal

  B. To enable Portal authentication to the Gateway

  C. To enable user authentication to the Portal

  D. To enable client machine authentication to the Portal

  Correct Answer: C

  The additional options of Browser and Satellite enable you to specify the authentication profile to use for specific scenarios. Select Browser to specify the authentication profile to use to authenticate a user accessing the portal from a web browser with the intent of downloading the GlobalProtect agent (Windows and Mac). Select Satellite to specify the authentication profile to use to authenticate the satellite. Reference https://www.paloaltonetworks.com/documentation/71/panos/web-interface- help/globalprotect/network-globalprotect-portals

• Question 2:

  An administrator wants a new Palo Alto Networks NGFW to obtain automatic application updates daily, so it is configured to use a scheduler for the application database. Unfortunately, they required the management network to be isolated so that it cannot reach the internet. Which configuration will enable the firewall to download and install application updates automatically?

  A. Configure a Policy Based Forwarding policy rule for the update server IP address so that traffic sourced from themanagement interfaced destined for the update servers goes out of the interface acting as your internet connection.

  B. Configure a security policy rule to allow all traffic to and from the update servers.

  C. Download and install application updates cannot be done automatically if the MGT port cannot reach the internet.

  D. Configure a service route for Palo Alto networks services that uses a dataplane interface that can route traffic to the internet, and create a security policy rule to allow the traffic from that interface to the update servers if necessary.

  Correct Answer: D

  "By default, the firewall uses management interface to communicate to various servers including DNS, Email, Palo Alto Updates, User-ID agent, Syslog, Panorama etc. Service routes are used so that the communication between the firewall and servers go through the dataplane."https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g00000 0ClGJCA0 "The firewall uses the service route to connect to the Update Server and checks for new content release versions and, if there are updates available, displays them at the top of the list."https://docs.paloaltonetworks.com/pan-os/7-1/pan-osweb-interface- help/device/device-dynamic-updates#

• Question 3:

  Where can an administrator see both the management plane and data plane CPU utilization in the WebUI?

  A. System log

  B. CPU Utilization widget

  C. Resources widget

  D. System Utilization log

  Correct Answer: C

  System Resources (widget)Displays the Management CPU usage, Data Plane usage, and the Session Count (the number of sessions established through the firewall or Panorama).https://docs.paloaltonetworks.com/pan-os/8-0/pan-os-webinterface- help/dashboard/dashboard-widgets#

• Question 4:

  Which is not a valid reason for receiving a decrypt-cert-validation error?

  A. Unsupported HSM

  B. Unknown certificate status

  C. Client authentication

  D. Untrusted issuer

  Correct Answer: A

  Per the link https://docs.paloaltonetworks.com/pan-os/7-1/pan-os-new- features/networking-features/ssl-ssh-session-end-reasons , receiving the decrypt-cert-validation error is valid for the following conditions: expired, untrusted issuer, unknown status, or status verification time-out. "Unsupported HSM" is not a valid reason for receiving a decrypt-cert-validation error.

• Question 5:

  Which two actions would be part of an automatic solution that would block sites with untrusted certificates without enabling SSL Forward Proxy? (Choose two.)

  A. Create a no-decrypt Decryption Policy rule.

  B. Configure an EDL to pull IP addresses of known sites resolved from a CRL.

  C. Create a Dynamic Address Group for untrusted sites

  D. Create a Security Policy rule with vulnerability Security Profile attached.

  E. Enable the "Block sessions with untrusted issuers" setting.

  Correct Answer: AE

  https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/decryption/decryption-concepts/no-decryption-decryption-profile

• Question 6:

  Refer to the exhibit.

  

  Which certificates can be used as a Forwarded Trust certificate?

  A. Certificate from Default Trust Certificate Authorities

  B. Domain Sub-CA

  C. Forward_Trust

  D. Domain-Root-Cert

  Correct Answer: B

  The SSL Forward Proxy certificate must be a trusted CA certificate with private key. In order to use this cert as a Forward Proxy certificate, you must open the certificate and select the checkbox to enable it as a Forward Trust Certificate. See the following doc, Step 2 number 5: https://docs.paloaltonetworks.com/pan-os/10-0/pan-os- admin/decryption/configure-ssl-forward-proxy.html

• Question 7:

  What file type upload is supported as part of the basic WildFire service?

  A. PE

  B. BAT

  C. VBS

  D. ELF

  Correct Answer: A

  https://docs.paloaltonetworks.com/wildfire/9-1/wildfire-admin/wildfire- overview/wildfire-subscription.html

• Question 8:

  Which protection feature is available only in a Zone Protection Profile?

  A. SYN Flood Protection using SYN Flood Cookies

  B. ICMP Flood Protection

  C. Port Scan Protection

  D. UDP Flood Protections

  Correct Answer: C

  Configure one of the following Reconnaissance Protection actions for the firewall to take in response to the corresponding reconnaissance attempt:Allow--The firewall allows the port scan or host sweep reconnaissance to continue.

  SYN Flood Cookies is also available on DoS Protection Profile, the answer refers to ONLY. DoS Protection profiles protect specific devices (classified profiles) and groups of devices (aggregate profiles) against SYN, UDP, ICMP, ICMPv6,

  and Other IP flood attacks.

  https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-web-interface- help/network/network-network-profiles/network-network-profiles-zone- protection/reconnaissance-protection.html#ida0512c75-ed54-4b31-8d2c-9f459466d4d2 Port scan

  protection = Reconnaissance Protection

  That can only be done in a Zone Protection Profile. That's meant to be configured on an external-facing interface to protect the entire attack surface. DOS Protection profiles are meant to be configured on internal-facing interfaces to protect a

  specific server or group of servers from flood attacks, including SYN Flood.

  https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-admin/zone-protection-and- dos-protection/configure-zone-protection-to-increase-network-security/configure- reconnaissance-protection

• Question 9:

  Which virtual router feature determines if a specific destination IP address is reachable?

  A. Heartbeat Monitoring

  B. Failover

  C. Path Monitoring

  D. Ping-Path

  Correct Answer: C

  Reference: https://www.paloaltonetworks.com/documentation/71/pan-os/pan-os/policy/pbf https://docs.paloaltonetworks.com/pan-os/8-0/pan-os-admin/policy/policy-based- forwarding/pbf/path-monitoring-for-pbf

• Question 10:

  A company needs to preconfigure firewalls to be sent to remote sites with the least amount of reconfiguration. Once deployed, each firewall must establish secure tunnels back to multiple regional data centers to include the future regional data centers.

  Which VPN configuration would adapt to changes when deployed to the future site?

  A. Preconfigured GlobalProtect satellite

  B. Preconfigured GlobalProtect client

  C. Preconfigured IPsec tunnels

  D. Preconfigured PPTP Tunnels

  Correct Answer: A

  https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/large-scale- vpn-lsvpn/configure-the-globalprotect-portal-for-lsvpn/define-the-satellite- configurations.html