Palo Alto Networks Palo Alto Networks Certifications PCNSE Questions & Answers

• Question 1:

  An administrator needs to validate that policies mat will be deployed win match the appropriate rules in the device-group hierarchy. Which toot can the administrator use to review the policy creation logic and verify that unwanted traffic is not allowed?

  A. Policy Optimizer

  B. Test Policy Match

  C. Preview Changes

  D. Managed Devices Health

  Correct Answer: B

  https://docs.paloaltonetworks.com/panorama/9-0/panorama- admin/troubleshooting/test-policy-match-and-connectivity-for-managed-devices.html After you successfully push the device group and template stack configurations to your firewalls, Log Collectors, and WF-500 appliances, test that the correct traffic matches the policy rules pushed to your managed devices and that your firewalls can successfully connect to all appropriate network resources.

• Question 2:

  What type of address object would be useful for internal devices where the addressing structure assigns meaning to certain bits in the address, as illustrated in the diagram?

  

  A. IP Netmask

  B. IP Wildcard Mask

  C. IP Address

  D. IP Range

  Correct Answer: B

  https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-new-features/networking-features/wildcard-address

• Question 3:

  In URL filtering, which component matches URL patterns?

  A. live URL feeds on the management plane

  B. security processing on the data plane

  C. signature matching on the data plane

  D. single-pass pattern matching on the data plane

  Correct Answer: B

• Question 4:

  An administrator is attempting to create policies tor deployment of a device group and template stack When creating the policies, the zone drop down list does not include the required zone.

  What must the administrator do to correct this issue?

  A. Specify the target device as the master device in the device group

  B. Enable "Share Unused Address and Service Objects with Devices" in Panorama settings

  C. Add the template as a reference template in the device group

  D. Add a firewall to both the device group and the template

  Correct Answer: C

  In order to see what is in a template, the device-group needs the template referenced. Even if you add the firewall to both the template and device-group, the device-group will not see what is in the template. The following link has a video that demonstrates that B is the correct answer.

  https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PNfeCAG

• Question 5:

  A firewall should be advertising the static route 10 2 0 0/24 into OSPF The configuration on the neighbor is correct but the route is not in the neighbor's routing table.

  Which two configurations should you check on the firewall'? (Choose two )

  A. Within the redistribution profile ensure that Redist is selected

  B. In the redistribution profile check that the source type is set to "ospf"

  C. In the OSFP configuration ensure that the correct redistribution profile is selected in the OSPF Export Rules section

  D. Ensure that the OSPF neighbor state is "2-Way"

  Correct Answer: AC

  https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-web-interface-help/network/network- virtual-routers/ospf/ospf-export-rules-tab https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClGTCA0

• Question 6:

  An administrator wants to enable zone protection.

  Before doing so, what must the administrator consider?

  A. Activate a zone protection subscription.

  B. To increase bandwidth no more than one firewall interface should be connected to a zone

  C. Security policy rules do not prevent lateral movement of traffic between zones

  D. The zone protection profile will apply to all interfaces within that zone

  Correct Answer: D

  https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/zone-protection-and-dos-protection/how-do-zones-protect-the-network

• Question 7:

  A remote administrator needs firewall access on an untrusted interface.

  Which two components are required on the firewall to configure certificate-based administrator authentication to the web Ul? (Choose two)

  A. client certificate

  B. certificate profile

  C. certificate authority (CA) certificate

  D. server certificate

  Correct Answer: BC

  https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/firewall- administration/manage-firewall-administrators/configure-administrative-accounts-and- authentication/configure-certificate-based-administrator-authentication-to-the-webinterface.html

• Question 8:

  What happens, by default, when the GlobalProtect app fails to establish an IPSec tunnel to the GlobalProtect gateway?

  A. It keeps trying to establish an IPSec tunnel to the GlobalProtect gateway

  B. It stops the tunnel-establishment processing to the GlobalProtect gateway immediately

  C. It tries to establish a tunnel to the GlobalProtect gateway using SSL/TLS

  D. It tries to establish a tunnel to the GlobalProtect portal using SSL/TLS

  Correct Answer: C

  The GlobalProtect VPN solution by Palo Alto Networks is designed to provide secure remote access to users. It primarily attempts to establish a VPN tunnel using the IPSec protocol for optimal security and performance. However, in cases where IPSec cannot be used due to network restrictions or other issues, GlobalProtect has a fallback mechanism.

  If the GlobalProtect app fails to establish an IPSec tunnel with the GlobalProtect gateway, the default behavior is to fallback to SSL/TLS for tunnel establishment. This ensures that the VPN connection can still be established, maintaining secure remote access for the user even in environments where IPSec is not feasible. SSL/TLS provides a secure tunnel, albeit generally with slightly less efficiency than IPSec.

  This fallback mechanism is part of the GlobalProtect app's design to ensure reliability and continuous secure access for remote users under various network conditions.

• Question 9:

  In a template you can configure which two objects? (Choose two.)

  A. SD WAN path quality profile

  B. application group

  C. IPsec tunnel

  D. Monitor profile

  Correct Answer: CD

• Question 10:

  Which three statements accurately describe Decryption Mirror? (Choose three.)

  A. Decryption Mirror requires a tap interface on the firewall

  B. Decryption, storage, inspection and use of SSL traffic are regulated in certain countries

  C. Only management consent is required to use the Decryption Mirror feature

  D. You should consult with your corporate counsel before activating and using Decryption Mirror in a production environment

  E. Use of Decryption Mirror might enable malicious users with administrative access to the firewall to harvest sensitive information that is submitted via an encrypted channel

  Correct Answer: BDE

  https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/decryption/decryption-concepts/decryption-mirroring.html "Keep in mind that the decryption, storage, inspection, and/or use of SSL traffic is governed in certain countries and user consent might be required in order to use the decryption mirror feature. Additionally, use of this feature could enable malicious users with administrative access to the firewall to harvest usernames, passwords, social security numbers, credit card numbers, or other sensitive information submitted using an encrypted channel. Palo Alto Networks recommends that you consult with your corporate counsel before activating and using this feature in a production environment."