Palo Alto Networks Palo Alto Networks Certifications PCNSE Questions & Answers

• Question 91:

  Review the screenshots and consider the following information:

  1.

  FW-1 is assigned to the FW-1_DG device group and FW-2 is assigned to OFFICE_FW_DG

  2.

  There are no objects configured in REGIONAL_DG and OFFICE_FW_DG device groups Which IP address will be pushed to the firewalls inside Address Object Server-1?

  

  A. Server-1 on FW-1 will have IP 2.2.2.2 Server-1 will not be pushed to FW-2

  B. Server-1 on FW-1 will have IP 3.3.3.3 Server-1 will not be pushed to FW-2

  C. Server-1 on FW-1 will have IP 1.1.1.1 Server-1 will not be pushed to FW-2

  D. Server-1 on FW-1 will have IP 4.4.4.4 Server-1 on FW-2 will have IP 1.1.1.1

  Correct Answer: D

• Question 92:

  Which two methods can be used to verify firewall connectivity to AutoFocus? (Choose two.)

  A. Verify AutoFocus status using the CLI test command.

  B. Check the WebUI Dashboard AutoFocus widget.

  C. Check for WildFire forwarding logs.

  D. Check the license.

  E. Verify AutoFocus is enabled below Device Management tab.

  Correct Answer: DE

  https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/threat-prevention/learn-more-about-and-assess-threats/assess-firewall-artifacts-with-autofocus/enable-autofocus-threat-intelligence#id9ac4f191-abbf-4483-8a43-57bc137038ce

• Question 93:

  A bootstrap USB flash drive has been prepared using a Linux workstation to load the initial configuration of a Palo Alto Networks firewall. The USB flash drive was formatted using file system ntfs and the initial configuration is stored in a file

  named init-cfg.txt.

  The contents of init-cfg.txt in the USB flash drive are as follows:

  

  The USB flash drive has been inserted in the firewalls' USB port, and the firewall has been powered on. Upon boot, the firewall fails to begin the bootstrapping process. The failure is caused because:

  A. the bootstrap.xml file is a required file, but it is missing

  B. nit-cfg.txt is an incorrect filename, the correct filename should be init-cfg.xml

  C. The USB must be formatted using the ext4 file system

  D. There must be commas between the parameter names and their values instead of the equal symbols

  E. The USB drive has been formatted with an unsupported file system

  Correct Answer: E

  As per PA it will support FAT32 and ext3 so the correct ans is E ( Unsupported File System )

  The USB flash drive that bootstraps a hardware-based Palo Alto Networks firewall must support one of the

  following:

  ?File Allocation Table 32 (FAT32)

  ?Third Extended File System (ext3)

• Question 94:

  Given the following snippet of a WildFire submission log, did the end user successfully download a file?

  

  A. Yes, because the final action is set to "allow."

  B. No, because the action for the wildfire-virus is "reset-both."

  C. No, because the URL generated an alert.

  D. Yes, because both the web-browsing application and the flash file have the "alert" action.

  Correct Answer: B

• Question 95:

  An administrator has been tasked with configuring decryption policies, Which decryption best practice should they consider?

  A. Consider the local, legal, and regulatory implications and how they affect which traffic can be decrypted.

  B. Decrypt all traffic that traverses the firewall so that it can be scanned for threats.

  C. Place firewalls where administrators can opt to bypass the firewall when needed.

  D. Create forward proxy decryption rules without Decryption profiles for unsanctioned applications.

  Correct Answer: A

  The best decryption best practice that the administrator should consider is A: Consider the local, legal, and regulatory implications and how they affect which traffic can be decrypted. This is because decryption involves intercepting and inspecting encrypted traffic, which may raise privacy and compliance issues depending on the jurisdiction and the type of traffic1. Therefore, the administrator should be aware of the local, legal, and regulatory implications and how they affect which traffic can be decrypted, and follow the appropriate guidelines and policies to ensure that decryption is done in a lawful and ethical manner1.

• Question 96:

  An engineer is monitoring an active/active high availability (HA) firewall pair.

  Which HA firewall state describes the firewall that is currently processing traffic?

  A. Passive

  B. Initial

  C. Active

  D. Active-primary

  Correct Answer: D

  https://docs.paloaltonetworks.com/pan-os/11-1/pan-os-admin/high-availability/ha-firewall-states

• Question 97:

  Which two key exchange algorithms consume the most resources when decrypting SSL traffic? (Choose two.)

  A. ECDSA

  B. ECDHE

  C. RSA

  D. DHE

  Correct Answer: BD

  The two key exchange algorithms that consume the most resources when decrypting SSL traffic are ECDHE and DHE. These are both Diffie-Hellman based algorithms that enable perfect forward secrecy (PFS), which means that they generate a new and unique session key for each SSL/TLS session, and do not reuse any previous keys. This enhances the security of the encrypted communication, but also increases the computational cost and complexity of the key exchange process. ECDHE stands for Elliptic Curve Diffie-Hellman Ephemeral, which uses elliptic curve cryptography (ECC) to generate the session key. DHE stands for Diffie-Hellman Ephemeral, which uses modular arithmetic to generate the session key. Both ECDHE and DHE require more CPU and memory resources than RSA, which is a non-PFS algorithm that uses public and private keys to encrypt and decrypt the session key123. References: Key Exchange Algorithms, Best Practices for Enabling SSL Decryption, PCNSE Study Guide (page 60) https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/decryption/prepare-to-deploy-decryption/size-the-decryption-firewall-deployment

• Question 98:

  An organization wants to begin decrypting guest and BYOD traffic.

  Which NGFW feature can be used to identify guests and BYOD users, instruct them how to download and install the CA certificate, and clearly notify them that their traffic will be decrypted?

  A. Authentication Portal

  B. SSL Decryption profile

  C. SSL decryption policy

  D. comfort pages

  Correct Answer: A

  An authentication portal is a feature that can be used to identify guests and BYOD users, instruct them how to download and install the CA certificate, and clearly notify them that their traffic will be decrypted. An authentication portal is a web page that the firewall displays to users who need to authenticate before accessing the network or the internet. The authentication portal can be customized to include a welcome message, a login prompt, a disclaimer, a certificate download link, and a logout button. The authentication portal can also be configured to use different authentication methods, such as local database, RADIUS, LDAP, Kerberos, or SAML. By using an authentication portal, the firewall can redirect BYOD users to a web page where they can learn about the decryption policy, download and install the CA certificate, and agree to the terms of use before accessing the network or the internet.

  An SSL decryption profile is not a feature that can be used to identify guests and BYOD users, instruct them how to download and install the CA certificate, and clearly notify them that their traffic will be decrypted. An SSL decryption profile is a set of options that define how the firewall handles SSL/TLS traffic that it decrypts. An SSL decryption profile can include settings such as certificate verification, unsupported protocol handling, session caching, session resumption, algorithm selection, etc. An SSL decryption profile does not provide any user identification or notification functions.

  An SSL decryption policy is not a feature that can be used to identify guests and BYOD users, instruct them how to download and install the CA certificate, and clearly notify them that their traffic will be decrypted. An SSL decryption policy is a set of rules that determine which traffic the firewall decrypts based on various criteria, such as source and destination zones, addresses, users, applications, services, etc. An SSL decryption policy can also specify which type of decryption to apply to the traffic, such as SSL Forward Proxy, SSL Inbound Inspection, or SSH Proxy4. An SSL decryption policy does not provide any user identification or notification functions.

  Comfort pages are not a feature that can be used to identify guests and BYOD users, instruct them how to download and install the CA certificate, and clearly notify them that their traffic will be decrypted. Comfort pages are web pages that the firewall displays to users when it blocks or fails to decrypt certain traffic due to security policy or technical reasons. Comfort pages can include information such as the reason for blocking or failing to decrypt the traffic, the URL of the original site, the firewall serial number, etc5. Comfort pages do not provide any user identification or notification functions before decrypting the traffic.

• Question 99:

  After switching to a different WAN connection, users have reported that various websites will not load, and timeouts are occurring. The web servers work fine from other locations.

  The firewall engineer discovers that some return traffic from these web servers is not reaching the users behind the firewall. The engineer later concludes that the maximum transmission unit (MTU) on an upstream router interface is set to

  1400 bytes.

  The engineer reviews the following CLI output for ethernet1/1.

  

  Which setting should be modified on ethernet1/1 to remedy this problem?

  A. Change the subnet mask from /23 to /24.

  B. Lower the interface MTU value below 1500.

  C. Adjust the TCP maximum segment size (MSS) value.

  D. Enable the Ignore IPv4 Don't Fragment (DF) setting.

  Correct Answer: C

  Please note that even though adjusting the MSS value on the PA firewall solves the issue, the issue is not caused by the Firewall. The issue is caused by other hosts in the path that have lower MTU setting.

• Question 100:

  In a security-first network, what is the recommended threshold value for apps and threats to be dynamically updated?

  A. 1 to 4 hours

  B. 6 to 12 hours

  C. 24 hours

  D. 36 hours

  Correct Answer: B

  Schedule content updates so that they download-and-install automatically. Then, set a Threshold that determines the amount of time the firewall waits before installing the latest content. In a security-first network, schedule a six to twelve hour threshold.

  https://docs.paloaltonetworks.com/pan-os/11-0/pan-os-upgrade/software-and-content-updates/best-practices-for-app-and-threat-content-updates/best-practices-security-first