Palo Alto Networks Palo Alto Networks Certifications PCNSE Questions & Answers

• Question 121:

  Which log type is supported in the Log Forwarding profile?

  A. User-ID

  B. GlobalProtect

  C. Configuration

  D. Tunnel

  Correct Answer: D

• Question 122:

  A firewall engineer is managing a Palo Alto Networks NGFW which is not in line of any DHCP traffic.

  Which interface mode can the engineer use to generate Enhanced Application logs (EALs) for classifying IoT devices while receiving broadcast DHCP traffic?

  A. Virtual wire

  B. Layer 3

  C. Layer 2

  D. Tap

  Correct Answer: D

• Question 123:

  Following a review of firewall logs for traffic generated by malicious activity, how can an administrator confirm that WildFire has identified a virus?

  A. By navigating to Monitor > Logs > Traffic, applying filter "(subtype eq virus)"

  B. By navigating to Monitor > Logs > Threat, applying filter "(subtype eq virus)"

  C. By navigating to Monitor > Logs > Threat, applying filter "(subtype eq wildfire-virus)"

  D. By navigating to Monitor > Logs > WildFire Submissions, applying filter "(subtype eq wildfire-virus)"

  Correct Answer: C

• Question 124:

  Which conditions must be met when provisioning a high availability (HA) cluster? (Choose two.)

  A. HA cluster members must be the same firewall model and run the same PAN-OS version.

  B. HA cluster members must share the same zone names.

  C. Panorama must be used to manage HA cluster members.

  D. Dedicated HA communication interfaces for the cluster must be used over HSCI interfaces.

  Correct Answer: AD

• Question 125:

  A firewall engineer needs to update a company's Panorama-managed firewalls to the latest version of PAN-OS. Strict security requirements are blocking internet access to Panorama and to the firewalls. The PAN-OS images have previously been downloaded to a secure host on the network.

  Which path should the engineer follow to deploy the PAN-OS images to the firewalls?

  A. Upload the image to Panorama > Device Deployment > Software menu, and deploy it to the firewalls.

  B. Upload the image to Panorama > Device Deployment > Dynamic Updates menu, and deploy it to the firewalls.

  C. Upload the image to Panorama > Software menu, and deploy it to the firewalls.

  D. Upload the image to Panorama > Dynamic Updates menu, and deploy it to the firewalls.

  Correct Answer: A

  In a situation where Panorama and its managed firewalls lack internet access, updating PAN-OS requires a manual upload of the downloaded PAN-OS images. The process involves:

  Upload the image to Panorama > Device Deployment > Software menu, and deploy it to the firewalls:

  The engineer first uploads the downloaded PAN-OS images to Panorama. This is done through the "Device Deployment" section, specifically under the "Software" menu. This area of Panorama's interface is designed for managing PAN-OS

  versions and software updates for the managed devices.

  Once the PAN-OS images are uploaded to Panorama, the engineer can then deploy these images to the firewalls directly from Panorama. This process allows for centralized management of software updates, ensuring that all firewalls can be

  updated to the latest PAN-OS version in a consistent and controlled manner, even without direct internet access.

  This method streamlines the update process for environments with strict security requirements, allowing for the efficient deployment of necessary PAN-OS updates to maintain security and functionality.

• Question 126:

  When you troubleshoot an SSL Decryption issue, which PAN-OS CLI command do you use to check the details of the Forward Trust certificate, Forward Untrust certificate, and SSL Inbound Inspection certificate?

  A. show system setting ssl-decrypt certs

  B. show system setting ssl-decrypt certificate

  C. debug dataplane show ssl-decrypt ssl-stats

  D. show system setting ssl-decrypt certificate-cache

  Correct Answer: B

• Question 127:

  An internal audit team has requested additional information to be included inside traffic logs forwarded from Palo Alto Networks firewalls to an internal syslog server. Where can the firewall engineer define the data to be added into each forwarded log?

  A. Custom Log Format within Device > Server Profiles > Syslog

  B. Built-in Actions within Objects > Log Forwarding Profile

  C. Logging and Reporting Settings within Device > Setup > Management

  D. Data Patterns within Objects > Custom Objects

  Correct Answer: B

• Question 128:

  Which two items must be configured when implementing application override and allowing traffic through the firewall? (Choose two.)

  A. Application filter

  B. Application override policy rule

  C. Security policy rule

  D. Custom app

  Correct Answer: BC

  When implementing an application override in a Palo Alto Networks firewall, the primary goal is to explicitly define how specific traffic is identified and processed by the firewall, bypassing the regular App-ID process. This is particularly useful for traffic that might be misidentified by App-ID or for applications that require special handling for performance reasons.

  To successfully implement application override, the following items must be configured:

  Application override policy rule:This is a specialized policy rule that you create to specify the criteria for the traffic you want to override. In this rule, you define the source and destination zones, addresses, and ports. Instead of relying on the App-ID engine to identify the application, the firewall uses the criteria defined in the application override policy to classify the traffic. Security policy rule:After defining an application override policy, you must also configure a security policy rule to allow the overridden traffic through the firewall. This rule specifies the action (allow, deny, drop, etc.) for the traffic that matches the application override policy. It's essential to ensure that the security policy rule matches the traffic defined in the application override policy to ensure that the intended traffic is allowed through the firewall.

  For detailed guidance on configuring application override and the necessary security policies, refer to the official Palo Alto Networks documentation. This resource provides step-by-step instructions and best practices for effectively managing traffic using application overrides.

• Question 129:

  Which server platforms can be monitored when a company is deploying User-ID through server monitoring in an environment with diverse directory services?

  A. Novell eDirectory, Microsoft Terminal Server, and Microsoft Active Directory

  B. Red Hat Linux, Microsoft Exchange, and Microsoft Terminal Server

  C. Novell eDirectory, Microsoft Exchange, and Microsoft Active Directory

  D. Red Hat Linux, Microsoft Active Directory, and Microsoft Exchange

  Correct Answer: C

• Question 130:

  An engineer is monitoring an active/passive high availability (HA) firewall pair.

  Which HA firewall state describes the firewall that is currently processing traffic?

  A. Active-primary

  B. Active

  C. Active-secondary

  D. Initial

  Correct Answer: B