Palo Alto Networks Palo Alto Networks Certifications PCNSE Questions & Answers

• Question 101:

  An administrator is receiving complaints about application performance degradation. After checking the ACC, the administrator observes that there is an excessive amount of VoIP traffic. Which three elements should the administrator configure to address this issue? (Choose three.)

  A. A QoS policy for each application

  B. An Application Override policy for the SIP traffic

  C. A QoS profile defining traffic classes

  D. QoS on the ingress interface for the traffic flows

  E. QoS on the egress interface for the traffic flows

  Correct Answer: ACE

  The ingress interface for QoS traffic is the interface on which the traffic enters the firewall. The egress interface for QoS traffic is the interface that traffic leaves the firewall from. QoS is always enabled and enforced on the egress interface for a traffic flow. The egress interface in a QoS configuration can either be the external- or internal-facing interface of the firewall, depending on the flow of the traffic receiving QoS treatment.

  https://docs.paloaltonetworks.com/pan-os/11-0/pan-os-admin/quality-of-service/qos-concepts/qos-egress-interface

• Question 102:

  An engineer needs to configure a standardized template for all Panorama-managed firewalls. These settings will be configured on a template named "Global" and will be included in all template stacks.

  Which three settings can be configured in this template? (Choose three.)

  A. Log Forwarding profile

  B. SSL decryption exclusion

  C. Email scheduler

  D. Login banner

  E. Dynamic updates

  Correct Answer: BDE

  A template is a set of configuration options that can be applied to one or more firewalls or virtual systems managed by Panorama. A template can include settings from the Device and Network tabs on the firewall web interface, such as login

  banner, SSL decryption exclusion, and dynamic updates. These settings can be configured in a template named "Global" and included in all template stacks. A template stack is a group of templates that Panorama pushes to managed

  firewalls in an ordered hierarchy.

  References: Manage Templates and Template Stacks, PCNSE Study Guide (page 50)

• Question 103:

  An administrator configures two VPN tunnels to provide for failover and uninterrupted VPN service.

  What should an administrator configure to enable automatic failover to the backup tunnel?

  A. Replay Protection

  B. Zone Protection

  C. Tunnel Monitor

  D. Passive Mode

  Correct Answer: C

• Question 104:

  An engineer configures a new template stack for a firewall that needs to be deployed. The template stack should consist of four templates arranged according to the diagram.

  

  Which template values will be configured on the firewall if each template has an SSL/TLS Service profile configured named Management?

  A. Values in Global Settings

  B. Values in Datacenter

  C. Values in efw01ab.chi

  D. Values in Chicago

  Correct Answer: C

• Question 105:

  An engineer is monitoring an active/active high availability (HA) firewall pair.

  Which HA firewall state describes the firewall that is experiencing a failure of a monitored path?

  A. Initial

  B. Passive

  C. Active-secondary

  D. Tentative

  Correct Answer: D

  In an active/active high availability (HA) firewall pair, when a firewall experiences a failure of a monitored path, it enters the "Tentative" state. This state indicates that the firewall is synchronizing sessions and configurations from its peer due to a failure or a change in monitored objects such as a link or path. The firewall in this state is not fully functional but is working towards resuming normal operations by syncing with its peer. Firewall Stuck in Initial (Leaving Suspended State) Palo Alto Networks

  https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/high-availability/ha-firewall-states

• Question 106:

  A firewall engineer creates a NAT rule to translate IP address 1.1.1.10 to 192.168.1.10. The engineer also plans to enable DNS rewrite so that the firewall rewrites the IPv4 address in a DNS response based on the original destination IP address and translated destination IP address configured for the rule. The engineer wants the firewall to rewrite a DNS response of 1.1.1.10 to 192.168.1.10.

  What should the engineer do to complete the configuration?

  A. Enable DNS rewrite under the destination address translation in the Translated Packet section of the NAT rule with the direction Forward.

  B. Create a U-Turn NAT to translate the destination IP address 1.1.1.10 to 192.168.1.10 with the destination port equal to UDP/53.

  C. Enable DNS rewrite under the destination address translation in the Translated Packet section of the NAT rule with the direction Reverse.

  D. Create a U-Turn NAT to translate the destination IP address 192.168.1.10 to 1.1.1.10 with the destination port equal to UDP/53.

  Correct Answer: A

  forward-If the DNS response matches the Original Destination Address in the rule, translate the DNS response using the same translation the rule uses. For example, if the rule translates IP address 1.1.1.10 to 192.168.1.10, the firewall rewrites a DNS response of 1.1.1.10 to 192.168.1.10.

  https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/networking/nat/source-nat-and-destination-nat/destination-nat-dns-rewrite-use-cases#id0d85db1b-05b9-4956-a467-f71d558263bb

• Question 107:

  An administrator configures a site-to-site IPsec VPN tunnel between a PA-850 and an external customer on their policy-based VPN devices.

  What should an administrator configure to route interesting traffic through the VPN tunnel?

  A. Proxy IDs

  B. ToS Header

  C. GRE Encapsulation

  D. Tunnel Monitor

  Correct Answer: A

  https://docs.paloaltonetworks.com/network-security/ipsec-vpn/administration/get-started-with-ipsec-vpn-site-to-site/site-to-site-vpn-overview/proxy-id-for-ipsec-vpn

• Question 108:

  A firewall engineer creates a new App-ID report under Monitor > Reports > Application Reports > New Applications to monitor new applications on the network and better assess any Security policy updates the engineer might want to make.

  How does the firewall identify the New App-ID characteristic?

  A. It matches to the New App-IDs downloaded in the last 90 days.

  B. It matches to the New App-IDs in the most recently installed content releases.

  C. It matches to the New App-IDs downloaded in the last 30 days.

  D. It matches to the New App-IDs installed since the last time the firewall was rebooted.

  Correct Answer: B

  https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/app-id/manage-new-app-ids-introduced-in-content-releases/monitor-new-app-ids

• Question 109:

  A firewall administrator wants to be able to see all NAT sessions that are going through a firewall with source NAT. Which CLI command can the administrator use?

  A. show session all filter nat source

  B. show running nat-rule-ippool rule "rule_name"

  C. show running nat-policy

  D. show session all filter nat-rule-source

  Correct Answer: D

• Question 110:

  An engineer is reviewing the following high availability (HA) settings to understand a recent HAfailover event.

  

  Which timer determines the frequency between packets sent to verify that the HA functionality on the other HA firewall is operational?

  A. Monitor Fail Hold Up Time

  B. Promotion Hold Time

  C. Heartbeat Interval

  D. Hello Interval

  Correct Answer: D

  The timer that determines the frequency between packets sent to verify that the HA functionality on the other HA firewall is operational is the Hello Interval. The Hello Interval is the interval in milliseconds between hello packets that are sent to check the HA status of the peer firewall. The default value for the Hello Interval is 8000 ms for all platforms, and the range is 8000-60000 ms. If the firewall does not receive a hello packet from its peer within the specified interval, it will declare the peer as failed and initiate a failover12. References: HA Timers, Layer 3 High Availability with Optimal Failover Times Best Practices