Palo Alto Networks PCNSE Online Practice Questions and Exam Preparation

Palo Alto Networks PCNSE Online Questions & Answers

• Question 101:

  A firewall engineer is investigating high dataplane CPU utilization. To decrease the load on this CPU, what should be reduced?

  A. The amount of decrypted traffic
  B. The timeout value for admin sessions
  C. The number of mapped User-ID groups
  D. The number of permitted IP addresses on the management interface
  A. The amount of decrypted traffic

  ---

  Explanation

• Question 102:

  Which statement about High Availability timer settings is true?

  A. Use the Moderate timer for typical failover timer settings.
  B. Use the Critical timer for taster failover timer settings.
  C. Use the Recommended timer tor faster failover timer settings.
  D. Use the Aggressive timer for taster failover timer settings
  D. Use the Aggressive timer for taster failover timer settings

  ---

  Explanation

• Question 103:

  Which three authentication factors does PAN-OS?software support for MFA (Choose three.)

  A. Push
  B. Pull
  C. Okta Adaptive
  D. Voice
  E. SMS
  A. Push
  D. Voice
  E. SMS

  ---

  Explanation

  https://www.paloaltonetworks.com/documentation/80/pan-os/pan-os/authentication/configure-multi-factor-authentication

• Question 104:

  A web server is hosted in the DMZ and the server is configured to listen for incoming connections on TCP port 443. A Security policies rules allowing access from the Trust zone to the DMZ zone needs to be configured to allow web-browsing access. The web server hosts its contents over HTTP(S). Traffic from Trust to DMZ is being decrypted with a Forward Proxy rule.

  Which combination of service and application, and order of Security policy rules, needs to be configured to allow cleartext web-browsing traffic to this server on tcp/443?

  A. Rule #1: application: web-browsing; service: application-default; action: allow Rule #2: application: ssl; service: application-default; action: allow
  B. Rule #1: application: web-browsing; service: service-https; action: allow Rule #2:application: ssl; service: application-default; action: allow
  C. Rule # 1: application: ssl; service: application-default; action: allow Rule #2: application: web-browsing; service: application-default; action: allow
  D. Rule #1: application: web-browsing; service: service-http; action: allow Rule #2: application: ssl; service: application-default; action: allow
  B. Rule #1: application: web-browsing; service: service-https; action: allow Rule #2:application: ssl; service: application-default; action: allow

  ---

  Explanation

• Question 105:

  Which two subscriptions are available when configuring panorama to push dynamic updates to connected devices? (Choose two.)

  A. Content-ID
  B. User-ID
  C. Applications and Threats
  D. Antivirus
  C. Applications and Threats
  D. Antivirus

  ---

  Explanation

  https://www.paloaltonetworks.com/documentation/71/pan-os/web-interface-help/device/device-dynamic-updates

• Question 106:

  Which protocol is supported by GlobalProtect Clientless VPN?

  A. HTTPS
  B. FTP
  C. RDP
  D. SSH
  A. HTTPS

  ---

  Explanation

  RDP and SSH are proxied through HTML5 wich is HTTPS

  Virtual Desktop Infrastructure (VDI) and Virtual Machine (VM) environments, such as Citrix XenApp and XenDesktop or VMWare Horizon and Vcenter, support access natively through HTML5. You can RDP, VNC, or SSH to these machines through Clientless VPN without requiring additional third-party middleware.

  In environments that do not include native support for HTML5 or other web application technologies supported by Clientless VPN, you can use third-party vendors, such as Thinfinity, to RDP through Clientless VPN.

  https://docs.paloaltonetworks.com/globalprotect/10-1/globalprotect-admin/globalprotect-clientless-vpn/supported-technologies

• Question 107:

  An organization is building a Bootstrap Package to deploy Palo Alto Networks VM-Series firewalls into their AWS tenant. Which two statements are correct regarding the bootstrap package contents? (Choose two )

  A. The /config /content and /software folders are mandatory while the /license and /plugin folders are optional
  B. The bootstrap package is stored on an AFS share or a discrete container file bucket
  C. The directory structure must include a /config /content, /software and /license folders
  D. The init-cfg txt and bootstrap.xml files are both optional configuration items for the /config folder
  E. The bootstrap.xml file allows for automated deployment of VM-Senes firewalls with full network and policy configurations.
  C. The directory structure must include a /config /content, /software and /license folders
  E. The bootstrap.xml file allows for automated deployment of VM-Senes firewalls with full network and policy configurations.

  ---

  Explanation

  https://docs.paloaltonetworks.com/vm-series/9-1/vm-series-deployment/bootstrap-the-vm-series-firewall/bootstrap-the-vm-series-firewall-in-aws.html

• Question 108:

  An administrator accidentally closed the commit window/screen before the commit was finished. Which two options could the administrator use to verify the progress or success of that commit task? (Choose two.)

  A. System Logs
  B. Task Manager
  C. Traffic Logs
  D. Configuration Logs
  A. System Logs
  B. Task Manager

  ---

  Explanation

  A. System Logs: The system logs contain information about various events that occur on the firewall, including the commit process. The administrator can review the system logs to verify whether the commit completed successfully or whether there were any errors or warnings during the commit process.

  B. Task Manager: The task manager displays a list of all active tasks on the firewall, including the commit task. The administrator can use the task manager to check the status of the commit task, including whether it is in progress, completed successfully, or failed.

  https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-admin/monitoring/view-and-manage-logs/log-types-and-severity-levels/config-logs

  https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-web-interface-help/web-interface-basics/taskmanager.html

• Question 109:

  Where can a service route be configured for a specific destination IP?

  A. Use Network > Virtual Routers, select the Virtual Router > Static Routes > IPv4
  B. Use Device > Setup > Services > Services
  C. Use Device > Setup > Services > Service Route Configuration > Customize > Destination
  D. Use Device > Setup > Services > Service Route Configuration > Customize > IPv4
  C. Use Device > Setup > Services > Service Route Configuration > Customize > Destination

  ---

  Explanation

  https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClGJCA0

• Question 110:

  If an administrator wants to apply QoS to traffic based on source, what must be specified in a QoS policy rule?

  A. Post-NAT destination address
  B. Pre-NAT destination address
  C. Pre-NAT source address
  D. Post-NAT source address
  C. Pre-NAT source address

  ---

  Explanation