Palo Alto Networks PCNSE Online Practice Questions and Exam Preparation

Palo Alto Networks PCNSE Online Questions & Answers

• Question 91:

  An administrator needs to validate that policies mat will be deployed win match the appropriate rules in the device-group hierarchy. Which toot can the administrator use to review the policy creation logic and verify that unwanted traffic is not allowed?

  A. Policy Optimizer
  B. Test Policy Match
  C. Preview Changes
  D. Managed Devices Health
  B. Test Policy Match

  ---

  Explanation

  https://docs.paloaltonetworks.com/panorama/9-0/panorama-admin/troubleshooting/test-policy-match-and-connectivity-for-managed-devices.html After you successfully push the device group and template stack configurations to your firewalls, Log Collectors, and WF-500 appliances, test that the correct traffic matches the policy rules pushed to your managed devices and that your firewalls can successfully connect to all appropriate network resources.

• Question 92:

  Which three fields can be included in a pcap filter? (Choose three)

  A. Egress interface
  B. Source IP
  C. Rule number
  D. Destination IP
  E. Ingress interface
  B. Source IP
  C. Rule number
  D. Destination IP

  ---

  Explanation

  (https://live.paloaltonetworks.com/t5/Featured-Articles/Getting-Started-Packet-Capture/ta-p/72069)

• Question 93:

  Which Panorama objects restrict administrative access to specific device-groups?

  A. templates
  B. admin roles
  C. access domains
  D. authentication profiles
  C. access domains

  ---

  Explanation

  Access domains control administrative access to specific Device Groups and templates, and also control the ability to switch context to the web interface of managed firewalls. https://docs.paloaltonetworks.com/panorama/10-1/panoramaadmin/panorama-overview/role-based-access-control/access-domains.html

• Question 94:

  Certain services in a customer implementation are not working, including Palo Alto Networks Dynamic version updates.

  Which CLI command can the firewall administrator use to verify if the service routes were correctly installed and that they are active in the Management Plane?

  A. debug dataplane Internal vif route 250
  B. show routing route type service-route
  C. show routing route type management
  D. debug dataplane internal vif route 255
  B. show routing route type service-route

  ---

  Explanation

• Question 95:

  An administrator is creating a new Dynamic User Group to quarantine users for suspicious activity.

  Which two objects can Dynamic User Groups use as match conditions for group membership? (Choose two.)

  A. Source IP address
  B. Dynamic tags
  C. Static tags
  D. Ldap attributes
  A. Source IP address
  B. Dynamic tags

  ---

  Explanation

• Question 96:

  A customer requires that virtual systems with separate virtual routers can communicate with one another within a Palo Alto Networks firewall. In addition to confirming Security policies, which three configurations will accomplish this goal? (Choose three)

  A. Route added with next hop set to "none" and using the interface of the virtual systems that need to communicate
  B. External zones with the virtual systems added
  C. Route added with next hop next-vr by using the VR configured in the virtual system
  D. Layer 3 zones for the virtual systems that need to communicate
  B. External zones with the virtual systems added
  C. Route added with next hop next-vr by using the VR configured in the virtual system
  D. Layer 3 zones for the virtual systems that need to communicate

  ---

  Explanation

• Question 97:

  Which type of zone will allow different virtual systems to communicate with each other?

  A. Tap
  B. External
  C. Virtual Wire
  D. Tunnel
  B. External

  ---

  Explanation

  An external zone is a type of zone that will allow different virtual systems to communicate with each other.

  An external zone is a special zone that is shared by all virtual systems on the firewall and can be used to route traffic between virtual systems without leaving the firewall.

  The external zone can also be used to route traffic to other zones within the same virtual system.

  The other options are not correct. A tap zone is a type of zone that is used to passively monitor traffic without affecting the flow of packets. A virtual wire zone is a type of zone that is used to create a transparent bridge between two network

  segments without changing the original IP addressing or routing.

  A tunnel zone is a type of zone that is used to terminate VPN tunnels or other types of encapsulated traffic.

  References:

  https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/virtual-systems/communication-between-virtual-systems/inter-vsys-traffic-that-remains-within-the-firewall/external-zone https://docs.paloaltonetworks.com/pan-os/10-2/pan-osadmin/networking/configure-interfaces/configure-a-tap-interface

  https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/networking/configure-interfaces/configure-a-virtual-wire

  https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/networking/configure-interfaces/configure-a-tunnel-interface

• Question 98:

  During SSL decryption which three factors affect resource consumption1? (Choose three )

  A. TLS protocol version
  B. transaction size
  C. key exchange algorithm
  D. applications that use non-standard ports
  E. certificate issuer
  A. TLS protocol version
  B. transaction size
  C. key exchange algorithm

  ---

  Explanation

  https://docs.paloaltonetworks.com/best-practices/8-1/decryption-best-practices/decryption-best-practices/plan-ssl-decryption-best-practice-deployment.html

• Question 99:

  The profile is configured to provide granular defense against targeted flood attacks for specific critical systems that are accessed by users from the internet.

  Which profile is the engineer configuring?

  A. Vulnerability Protection
  B. DoS Protection
  C. Packet Buffer Protection
  D. Zone Protection
  B. DoS Protection

  ---

  Explanation

  The engineer is configuring a DoS Protection profile to defend specific endpoints and resources against malicious activity. A DoS Protection profile is a feature that enables the firewall to detect and prevent denial-of-service (DoS) attacks that attempt to overwhelm network resources or disrupt services. A DoS Protection profile can provide granular defense against targeted flood attacks for specific critical systems that are accessed by users from the internet, such as web servers, DNS servers, or VPN gateways. A DoS Protection profile can be applied to a security policy rule that matches the traffic to and from the protected systems, and can specify the thresholds and actions for different types of flood attacks, such as SYN, UDP, ICMP, or other IP floods12.

  References: DoS Protection, PCNSE Study Guide (page 58) https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/zone-protection-and-dos-protection/zone-defense/dos-protection-profiles-and-policy-rules

• Question 100:

  An administrator wants to enable WildFire inline machine learning. Which three file types does WildFire inline ML analyze? (Choose three.)

  A. MS Office
  B. ELF
  C. APK
  D. VBscripts
  E. Powershell scripts
  A. MS Office
  B. ELF
  E. Powershell scripts

  ---

  Explanation