Palo Alto Networks PCNSE Online Practice Questions and Exam Preparation

Palo Alto Networks PCNSE Online Questions & Answers

• Question 111:

  A firewall administrator has been tasked with ensuring that all Panorama configuration is committed and pushed to the devices at the end of the day at a certain time. How can they achieve this?

  A. Use the Scheduled Config Export to schedule Commit to Panorama and also Push to Devices.
  B. Use the Scheduled Config Push to schedule Push lo Devices and separately schedule an API call to commit all Panorama changes.
  C. Use the Scheduled Config Export to schedule Push to Devices and separately schedule an API call to commit all Panorama changes.
  D. Use the Scheduled Config Push to schedule Commit to Panorama and also Push to Devices.
  D. Use the Scheduled Config Push to schedule Commit to Panorama and also Push to Devices.

  ---

  Explanation

• Question 112:

  Refer to the exhibit.

  

  An administrator cannot see any of the Traffic logs from the Palo Alto Networks NGFW on Panorama. The configuration problem seems to be on the firewall side. Where is the best place on the Palo Alto Networks NGFW to check whether the configuration is correct?

  

  

  

  

  A. Option A
  B. Option B
  C. Option C
  D. Option D
  A. Option A

  ---

  Explanation

  The Panorama address is wrong. Nothing will get to Panorama. The syslog screen shot is not relavent because they say no traffic logs on Panorama. And the screen shot showing no "Log Forwarding" profile is for a single Sec Policy. Every policy needs log forwarding to show up in Panorama. Only valid if a firewall has only 1 rule. And the last screen shot seems like some random Panorama config screen.

• Question 113:

  A firewall engineer creates a source NAT rule to allow the company's internal private network 10.0.0.0/23 to access the internet. However, for security reasons, one server in that subnet (10.0.0.10/32) should not be allowed to access the internet, and therefore should not be translated with the NAT rule.

  Which set of steps should the engineer take to accomplish this objective?

  A. 1. Create a NAT rule (NAT-Rule-1) and set the source address in the original packet to 10.0.0.10/32. 2. Check the box for negate option to negate this IP from the NAT translation.
  B. 1. Create a NAT rule (NAT-Rule-1) and set the source address in the original packet to 10.0.0.0/23. 2. Check the box for negate option to negate this IP subnet from NAT translation.
  C. 1. Create a source NAT rule (NAT-Rule-1) to translate 10.0.0/23 with source address translation set to dynamic IP and port. 2.Create another NAT rule (NAT-Rule-2) with source IP address in the original packet set to 10.0.0.10/32 and source translation set to none. 3.Place (NAT-Rule-2) above (NAT-Rule-1).
  D. 1. Create a source NAT rule (NAT-Rule-1) to translate 10.0.0/23 with source address translation set to dynamic IP and port. 2.Create another NAT rule (NAT-Rule-2) with source IP address in the original packet set to 10.0.0.10/32 and source translation set to none. 3.Place (NAT-Rule-1) above (NAT-Rule-2).
  C. 1. Create a source NAT rule (NAT-Rule-1) to translate 10.0.0/23 with source address translation set to dynamic IP and port. 2.Create another NAT rule (NAT-Rule-2) with source IP address in the original packet set to 10.0.0.10/32 and source translation set to none. 3.Place (NAT-Rule-2) above (NAT-Rule-1).

  ---

  Explanation

  NAT-Rule-2 needs to be above NAT-Rule-1 or else Rule 1 will shadow Rule 2 and Rule 2 will never get used.

• Question 114:

  A network security administrator wants to begin inspecting bulk user HTTPS traffic flows egressing out of the internet edge firewall. Which certificate is the best choice to configure as an SSL Forward Trust certificate?

  A. A self-signed Certificate Authority certificate generated by the firewall
  B. A Machine Certificate for the firewall signed by the organization's PKI
  C. A web server certificate signed by the organization's PKI
  D. A subordinate Certificate Authority certificate signed by the organization's PKI
  D. A subordinate Certificate Authority certificate signed by the organization's PKI

  ---

  Explanation

  Regardless of whether you generate Forward Trust certificates from your Enterprise Root CA or use a self-signed certificate generated on the firewall, generate a separate subordinate Forward Trust CA certificate for each firewall. The flexibility of using separate subordinate CAs enables you to revoke one certificate when you decommission a device (or device pair) without affecting the rest of the deployment and reduces the impact in any situation in which you need to revoke a certificate. Separate Forward Trust CAs on each firewall also helps troubleshoot issues because the CA error message the user sees includes information about the firewall the traffic is traversing. If you use the same Forward Trust CA on every firewall, you lose the granularity of that information.

  https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/decryption/configure-ssl-forward-proxy

• Question 115:

  In which two types of deployment is active/active HA configuration supported? (Choose two.)

  A. TAP mode
  B. Layer 2 mode
  C. Virtual Wire mode
  D. Layer 3 mode
  C. Virtual Wire mode
  D. Layer 3 mode

  ---

  Explanation

  Active/Active--Both firewalls in the pair are active and processing traffic and work synchronously to handle session setup and session ownership. Both firewalls individually maintain session tables and routing tables and synchronize to each other. Active/active HA is supported in virtual wire and Layer 3 deployments.

  https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-admin/high-availability/ha-concepts/ha-modes

  https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-admin/high-availability/ha-concepts/hamodes#:~:text=Active%2Fpassive%20HA%20is%20supported,such%20as%20IPSec%20security%20associations.

• Question 116:

  An administrator using an enterprise PKI needs to establish a unique chain of trust to ensure mutual authentication between Panorama and the managed firewalls and Log Collectors. How would the administrator establish the chain of trust?

  A. Use custom certificates
  B. Enable LDAP or RADIUS integration
  C. Set up multi-factor authentication
  D. Configure strong password authentication
  A. Use custom certificates

  ---

  Explanation

  https://www.paloaltonetworks.com/documentation/80/panorama/panorama_adminguide/panorama-overview/plan-your-panorama-deployment

• Question 117:

  Which Zone Pair and Rule Type will allow a successful connection for a user on the internet zone to a web server hosted in the DMZ zone?

  The web server is reachable using a destination Nat policy in the Palo Alto Networks firewall.

  A. Zone Pair: Source Zone: Internet Destination Zone: DMZ Rule Type: "intrazone"
  B. Zone Pair: Source Zone: Internet Destination Zone: DMZ Rule Type: "intrazone" or "universal"
  C. Zone Pair: Source Zone: Internet Destination Zone: Internet Rule Type: "intrazone" or "universal"
  D. Zone Pair: Source Zone: Internet Destination Zone: Internet Rule Type: "intrazone"
  B. Zone Pair: Source Zone: Internet Destination Zone: DMZ Rule Type: "intrazone" or "universal"

  ---

  Explanation

  https://docs.paloaltonetworks.com/pan-os/8-0/pan-os-admin/zone-protection-and-dos-protection/zone-defense/zone-defense-tools.html

  https://docs.paloaltonetworks.com/pan-os/8-0/pan-os-admin/networking/nat/nat-configuration-examples/destination-nat-exampleone-to-one-mapping

• Question 118:

  Which feature must you configure to prevent users form accidentally submitting their corporate credentials to a phishing website?

  A. URL Filtering profile
  B. Zone Protection profile
  C. Anti-Spyware profile
  D. Vulnerability Protection profile
  A. URL Filtering profile

  ---

  Explanation

  https://www.paloaltonetworks.com/documentation/80/pan-os/pan-os/threat-prevention/prevent-credential-phishing

  Phishing attack prevention extends the URL filtering capabilities to actively detect targeted credential phishing attacks through a cloud-based analytics service as well as through heuristics on the device itself.

• Question 119:

  When configuring forward error correction (FEC) for PAN-OS SD-WAN, an administrator would turn on the feature inside which type of SD-WAN profile?

  A. Certificate profile
  B. Path Quality profile
  C. SD-WAN Interface profile
  D. Traffic Distribution profile
  C. SD-WAN Interface profile

  ---

  Explanation

• Question 120:

  An engineer is pushing configuration from Panorama lo a managed firewall.

  What happens when the pushed Panorama configuration has Address Object names that duplicate the Address Objects already configured on the firewall?

  A. The firewall rejects the pushed configuration, and the commit fails.
  B. The firewall renames the duplicate local objects with "-1" at the end signifying they are clones; it will update the references to the objects accordingly and fully commit the pushed configuration.
  C. The firewall fully commits all of the pushed configuration and overwrites its locally configured objects
  D. The firewall ignores only the pushed objects that have the same name as the locally configured objects, and it will commit the rest of the pushed configuration.
  A. The firewall rejects the pushed configuration, and the commit fails.

  ---

  Explanation