Palo Alto Networks Palo Alto Networks Certifications PCNSE Questions & Answers

• Question 111:

  An engineer troubleshoots a high availability (HA) link that is unreliable.

  Where can the engineer view what time the interface went down?

  A. Monitor > Logs > Traffic

  B. Device > High Availability > Active/Passive Settings

  C. Monitor > Logs > System

  D. Dashboard > Widgets > High Availability

  Correct Answer: C

  https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000oNlUCAUandlang=en_US

• Question 112:

  An engineer troubleshoots a Panorama-managed firewall that is unable to reach the DNS servers configured via a global template. As a troubleshooting step, the engineer needs to configure a local DNS server in place of the template value.

  Which two actions can be taken to ensure that only the specific firewall is affected during this process? (Choose two.)

  A. Override the DNS server on the template stack.

  B. Configure the DNS server locally on the firewall.

  C. Change the DNS server on the global template.

  D. Configure a service route for DNS on a different interface.

  Correct Answer: AB

  To override a device and network setting applied by a template, you can either configure the setting locally on the firewall or override the setting on the template stack. Configuring the setting locally on the firewall will copy the setting to the local configuration of the device and will no longer be controlled by the template. Overriding the setting on the template stack will apply the setting to all the firewalls that are assigned to the template stack, unless the setting is also overridden locally on a firewall. Changing the setting on the global template will affect all the firewalls that inherit the setting from the template, which is not desirable in this scenario. Configuring a service route for DNS on a different interface will not change the DNS server address, but only the interface that the firewall uses to reach the DNS server. References: Override a Template Setting How to override panorama pushed template configuration on the local firewall Overriding Panorama Template settings

• Question 113:

  The decision to upgrade PAN-OS has been approved. The engineer begins the process by upgrading the Panorama servers, but gets an error when attempting the install.

  When performing an upgrade on Panorama to PAN-OS, what is the potential cause of a failed install?

  A. GlobalProtect agent version

  B. Outdated plugins

  C. Management only mode

  D. Expired certificates

  Correct Answer: B

• Question 114:

  A firewall engineer is configuring quality of service (QoS) policy for the IP address of a specific server in an effort to limit the bandwidth consumed by frequent downloads of large files from the internet.

  Which combination of pre-NAT and/or post-NAT information should be used in the QoS rule?

  A. Pre-NAT source IP address Pre-NAT source zone

  B. Post-NAT source IP address Pre-NAT source zone

  C. Pre-NAT source IP address Post-NAT source zone

  D. Post-NAT source IP address Post-NAT source zone

  Correct Answer: B

  When configuring Quality of Service (QoS) policies, particularly for traffic going to or from specific IP addresses and involving NAT, it's important to base the rule on how the firewall processes the traffic. For QoS, the firewall evaluates traffic using pre-NAT IP addresses and zones because QoS policies typically need to be applied before the NAT action occurs. This is especially true for inbound traffic, where the goal is to limit bandwidth before the destination IP is translated.

  The correct combination for a QoS rule in this scenario, where the aim is to limit bandwidth for downloads from a specific server (implying inbound traffic to the server), would be:

  Pre-NAT source IP address

  Pre-NAT source zone:

  Pre-NAT source IP address: This refers to the original IP address of the client or source device before any NAT rules are applied. Since QoS policies are evaluated before NAT, using the pre-NAT IP address ensures that the policy applies to

  the correct traffic.

  Pre-NAT source zone: This is the zone associated with the source interface before NAT takes place. Using the pre-NAT zone ensures that the QoS policy is applied to traffic as it enters the firewall, before any translations or routing decisions are made.

  By configuring the QoS rule with pre-NAT information, the firewall can accurately apply bandwidth limitations to the intended traffic, ensuring efficient use of network resources and mitigating the impact of large file downloads from the specified server.

  For detailed guidelines on configuring QoS policies, refer to the Palo Alto Networks documentation, which provides comprehensive instructions and best practices for managing bandwidth and traffic priorities on the network.

• Question 115:

  All firewalls at a company are currently forwarding logs to Palo Alto Networks log collectors. The company also wants to deploy a syslog server and forward all firewall logs to the syslog server and to the log collectors. There is a known logging peak time during the day and the security team has asked the firewall engineer to determine how many logs per second the current Palo Alto Networks log collectors are processing at that particular time.

  Which method is the most time-efficient to complete this task?

  A. Navigate to Panorama > Managed Collectors, and open the Statistics window for each Log Collector during the peak time

  B. Navigate to ACC > Network Activity, and determine the total number of sessions and threats during the peak time

  C. Navigate to Monitor > Unified logs, set the filter to the peak time, and browse to the last page to find out how many logs have been received

  D. Navigate to Panorama > Managed Devices > Health, open the Logging tab for each managed firewall and check the log rates during the peak time

  Correct Answer: D

• Question 116:

  A firewall engineer needs to patch the company's Palo Alto Networks firewalls to the latest version of PAN-OS. The company manages its firewalls by using Panorama. Logs are forwarded to Dedicated Log Collectors, and file samples are forwarded to WildFire appliances for analysis.

  What must the engineer consider when planning deployment?

  A. Only Panorama and Dedicated Log Collectors must be patched to the target PAN-OS version before updating the firewalls.

  B. Panorama, Dedicated Log Collectors, and WildFire appliances must have the target PAN-OS version downloaded, after which the order of patching does not matter.

  C. Panorama, Dedicated Log Collectors, and WildFire appliances must be patched to the target PAN-OS version before updating the firewalls.

  D. Only Panorama must be patched to the target PAN-OS version before updating the firewalls.

  Correct Answer: C

• Question 117:

  Which two are required by IPSec in transport mode? (Choose two.)

  A. Auto generated key

  B. NAT Traversal

  C. IKEv1

  D. DH-group 20 (ECP-384 bits)

  Correct Answer: AD

• Question 118:

  Why are external zones required to be configured on a Palo Alto Networks NGFW in an environment with multiple virtual systems?

  A. To allow traffic between zones in different virtual systems while the traffic is leaving the appliance

  B. External zones are required because the same external zone can be used on different virtual systems

  C. To allow traffic between zones in different virtual systems without the traffic leaving the appliance

  D. Multiple external zones are required in each virtual system to allow the communications between virtual systems

  Correct Answer: C

• Question 119:

  What happens when the log forwarding built-in action with tagging is used?

  A. Selected logs are forwarded to the Azure Security Center.

  B. Destination zones of selected unwanted traffic are blocked.

  C. Destination IP addresses of selected unwanted traffic are blocked.

  D. Selected unwanted traffic source zones are blocked.

  Correct Answer: A

• Question 120:

  A firewall engineer has determined that, in an application developed by the company's internal team, sessions often remain idle for hours before the client and server exchange any data. The application is also currently identified as unknowntcp by the firewalls. It is determined that because of a high level of trust, the application does not require to be scanned for threats, but it needs to be properly identified in Traffic logs for reporting purposes.

  Which solution will take the least time to implement and will ensure the App-ID engine is used to identify the application?

  A. Create a custom application with specific timeouts and signatures based on patterns discovered in packet captures.

  B. Access the Palo Alto Networks website and complete the online form to request that a new application be added to App-ID.

  C. Create a custom application with specific timeouts, then create an application override rule and reference the custom application.

  D. Access the Palo Alto Networks website and raise a support request through the Customer Support Portal.

  Correct Answer: C

  For an application that is currently identified as unknown-tcp and has sessions that often remain idle for long periods, creating a custom application and using an application override rule is the most time-efficient solution.

  The process involves:

  Creating a custom application in the Palo Alto Networks firewall and configuring it with specific timeouts to accommodate the application's idle session behavior. This step ensures that the firewall does not prematurely close the application's

  sessions due to inactivity.

  Next, creating an application override rule that references the custom application. This rule directs the firewall to identify traffic matching the rule criteria (such as source, destination, and port information) as the custom application, bypassing the App-ID engine's regular identification process.

  This approach allows for the quick implementation of a solution that ensures the application is properly identified in traffic logs without undergoing threat scanning, meeting the requirements for both identification and reporting.