Palo Alto Networks PCNSE Online Practice Questions and Exam Preparation

Palo Alto Networks PCNSE Online Questions & Answers

• Question 151:

  An engineer is configuring SSL Inbound Inspection for public access to a company's application. Which certificate(s) need to be installed on the firewall to ensure that inspection is performed successfully?

  A. Self-signed CA and End-entity certificate
  B. Root CA and Intermediate CA(s)
  C. Self-signed certificate with exportable private key
  D. Intermediate CA (s) and End-entity certificate
  D. Intermediate CA (s) and End-entity certificate

  ---

  Explanation

• Question 152:

  A global corporate office has a large-scale network with only one User-ID agent, which creates a bottleneck near the User-ID agent server. Which solution in PAN-OS?software would help in this case?

  A. application override
  B. Virtual Wire mode
  C. content inspection
  D. redistribution of user mappings
  D. redistribution of user mappings

  ---

  Explanation

  https://www.paloaltonetworks.com/documentation/71/pan-os/pan-os/user-id/deploy-user-id-in-a-large-scale-network

• Question 153:

  What does the User-ID agent use to find login and logout events in syslog messages?

  A. Syslog Server profile
  B. Authentication log
  C. Syslog Parse profile
  D. Log Forwarding profile
  C. Syslog Parse profile

  ---

  Explanation

• Question 154:

  Which two actions must an engineer take to configure SSL Forward Proxy decryption? (Choose two.)

  A. Configure the decryption profile.
  B. Configure SSL decryption rules.
  C. Define a Forward Trust Certificate.
  D. Configure a SSL / TLS service profile.
  B. Configure SSL decryption rules.
  C. Define a Forward Trust Certificate.

  ---

  Explanation

  https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/decryption/configure-ssl-forward-proxy

  Although Decryption profiles are optional, it is a best practice to include a Decryption profile with each Decryption policy rule to prevent weak, vulnerable protocols and algorithms from allowing questionable traffic on your network.

• Question 155:

  How can an administrator use the Panorama device-deployment option to update the apps and threat version of an HA pair of managed firewalls?

  A. Configure the firewall's assigned template to download the content updates.
  B. Choose the download and install action for both members of the HA pair in the Schedule object.
  C. Switch context to the firewalls to start the download and install process.
  D. Download the apps to the primary; no further action is required.
  B. Choose the download and install action for both members of the HA pair in the Schedule object.

  ---

  Explanation

  https://docs.paloaltonetworks.com/panorama/10-2/panorama-admin/manage-firewalls/use-case-configure-firewalls-using-panorama/set-up-your-centralized-configuration-and-policies/add-the-managed-firewalls-and-deploy-updates

• Question 156:

  Which conditions must be met when provisioning a high availability (HA) cluster? (Choose two.)

  A. HA cluster members must be the same firewall model and run the same PAN-OS version.
  B. HA cluster members must share the same zone names.
  C. Panorama must be used to manage HA cluster members.
  D. Dedicated HA communication interfaces for the cluster must be used over HSCI interfaces.
  A. HA cluster members must be the same firewall model and run the same PAN-OS version.
  B. HA cluster members must share the same zone names.

  ---

  Explanation

  Provisioning Requirements and Best Practices

  HA cluster members must be the same firewall model and run the same PAN-OS? version.

  HA cluster members must share the same zone names in order for sessions to successfully fail over to another cluster member.

  https://docs.paloaltonetworks.com/pan-os/11-0/pan-os-admin/high-availability/ha-clustering-best-practices-and-provisioning

• Question 157:

  An engineer is configuring Packet Buffer Protection on ingress zones to protect from single-session DoS attacks. Which sessions does Packet Buffer Protection apply to?

  A. It applies to existing sessions and is not global
  B. It applies to new sessions and is global
  C. It applies to new sessions and is not global
  D. It applies to existing sessions and is global
  D. It applies to existing sessions and is global

  ---

  Explanation

  https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/zone-protection-and-dos-protection/zone-defense/packet-buffer-protection

• Question 158:

  What are three valid qualifiers for a Decryption Policy Rule match? (Choose three )

  A. Destination Zone
  B. App-ID
  C. Custom URL Category
  D. User-ID
  E. Source Interface
  A. Destination Zone
  C. Custom URL Category
  D. User-ID

  ---

  Explanation

• Question 159:

  An administrator is receiving complaints about application performance degradation. After checking the ACC, the administrator observes that there is an excessive amount of VoIP traffic. Which three elements should the administrator configure to address this issue? (Choose three.)

  A. A QoS policy for each application
  B. An Application Override policy for the SIP traffic
  C. A QoS profile defining traffic classes
  D. QoS on the ingress interface for the traffic flows
  E. QoS on the egress interface for the traffic flows
  A. A QoS policy for each application
  C. A QoS profile defining traffic classes
  E. QoS on the egress interface for the traffic flows

  ---

  Explanation

  The ingress interface for QoS traffic is the interface on which the traffic enters the firewall. The egress interface for QoS traffic is the interface that traffic leaves the firewall from. QoS is always enabled and enforced on the egress interface for a traffic flow. The egress interface in a QoS configuration can either be the external-or internal-facing interface of the firewall, depending on the flow of the traffic receiving QoS treatment.

  https://docs.paloaltonetworks.com/pan-os/11-0/pan-os-admin/quality-of-service/qos-concepts/qos-egress-interface

• Question 160:

  A customer wants to enhance the protection provided by their Palo Alto Networks NGFW deployment to cover public-facing company-owned domains from misconfigurations that point records to third-party sources. Which two actions should the network administrator perform to achieve this goal? (Choose two)

  A. Verify the NGFWs have the Advanced DNS Security and Advanced Threat Prevention licenses installed and validated
  B. Create or update a Vulnerability Protection profile to the DNS Policies / DNS Zone Misconfiguration section, then add the domains to be protected
  C. Verify the NGFWs have the Advanced DNS Security and Advanced URL Filtering licenses installed and validated
  D. Create or update an Anti-Spyware profile, go to the DNS Policies / DNS Zone Misconfiguration section, then add the domains to be protected
  C. Verify the NGFWs have the Advanced DNS Security and Advanced URL Filtering licenses installed and validated
  D. Create or update an Anti-Spyware profile, go to the DNS Policies / DNS Zone Misconfiguration section, then add the domains to be protected

  ---

  Explanation

  To protect against DNS misconfigurations, Advanced DNS Security and Advanced URL Filtering licenses (Option C) enable DNS sinkholing and domain monitoring. In an Anti-Spyware profile (Option D), the DNS Policies section allows adding specific domains to detect and block misconfigured records pointing to third-party sources.

  PAN-OS 11.2 Administrator's Guide, "DNS Security" section; "Security Profiles" -Anti-Spyware Profile.