Palo Alto Networks PCNSE Online Practice Questions and Exam Preparation

Palo Alto Networks PCNSE Online Questions & Answers

• Question 161:

  Which event will happen if an administrator uses an Application Override Policy?

  A. Threat-ID processing time is decreased.
  B. The Palo Alto Networks NGFW stops App-ID processing at Layer 4.
  C. The application name assigned to the traffic by the security rule is written to the Traffic log.
  D. App-ID processing time is increased.
  B. The Palo Alto Networks NGFW stops App-ID processing at Layer 4.

  ---

  Explanation

  https://live.paloaltonetworks.com/t5/Learning-Articles/Tips-amp-Tricks-How-to-Create-an-Application-Override/ta-p/65513

  https://docs.paloaltonetworks.com/pan-os/7-1/pan-os-admin/app-id/manage-custom-or-unknown-applications#

  "If you define an application override, the firewall stops processing at Layer-4. The custom application name is assigned to the session to help identify it in the logs, and the traffic is not scanned for threats."

• Question 162:

  An administrator deploys PA-500 NGFWs as an active/passive high availability pair. The devices are not participating in dynamic routing and preemption is disabled. What must be verified to upgrade the firewalls to the most recent version of PAN-OS software?

  A. Wildfire update package
  B. User-ID agent
  C. Anti virus update package
  D. Application and Threats update package
  D. Application and Threats update package

  ---

  Explanation

  Explanation : Dependencies : Before upgrade, make sure the firewall is running a version of app + threat (content version) that meets the minimum requirement of the new PAN-OS Upgrade. : https://live.paloaltonetworks.com/t5/Featured-Articles/Best-Practices-for-PAN-OS-Upgrade/ta-p/111045

  https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-new-features/upgrade-to-pan-os-90/upgrade-the-firewall-to-pan-os-90/upgrade-an-ha-firewall-pair-to-pan-os-90.html#idab14f5f2-f662-4e5c-ba5b-2cc35993e2ec

• Question 163:

  Which log type will help the engineer verify whether packet buffer protection was activated?

  A. Data Filtering
  B. Configuration
  C. Threat
  D. Traffic
  C. Threat

  ---

  Explanation

  The log type that will help the engineer verify whether packet buffer protection was activated is Threat Logs. Threat Logs are logs generated by the Palo Alto Networks firewall when it detects a malicious activity on the network. These logs contain information about the source, destination, and type of threat detected. They also contain information about the packet buffer protection that was activated in response to the detected threat. This information can help the engineer verify that packet buffer protection was activated and determine which actions were taken in response to the detected threat.

• Question 164:

  What type of address object would be useful for internal devices where the addressing structure assigns meaning to certain bits in the address, as illustrated in the diagram?

  

  A. IP Netmask
  B. IP Wildcard Mask
  C. IP Address
  D. IP Range
  B. IP Wildcard Mask

  ---

  Explanation

  https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-new-features/networking-features/wildcard-address

• Question 165:

  What is the benefit of the Artificial Intelligence Operations (AIOps) Plugin for Panorama?

  A. It automatically pushes the configuration to Panorama after strengthening the overall security posture
  B. It proactively enforces best practices by validating new commits and advising if a policy needs work before pushing it to Panorama
  C. The AIOps plugin in Panorama auto-corrects the security rules that failed the Best Practice Assessment
  D. The AIOps plugin in Panorama retroactively checks the policy changes during the commits
  B. It proactively enforces best practices by validating new commits and advising if a policy needs work before pushing it to Panorama

  ---

  Explanation

  The AIOps Plugin for Panorama enhances security management by proactively validating commits against best practices (Option B). It analyzes policies, provides recommendations (e.g., unused rules, misconfigurations), and advises

  administrators before pushing changes, improving security posture without automatic enforcement.

  Palo Alto Networks AIOps for NGFW Documentation, PAN-OS 11.2 -AIOps Plugin Overview.

• Question 166:

  Which User-ID method should be configured to map IP addresses to usernames for users connected through a terminal server?

  A. port mapping
  B. server monitoring
  C. client probing
  D. XFF headers
  A. port mapping

  ---

  Explanation

  https://docs.paloaltonetworks.com/pan-os/8-0/pan-os-admin/user-id/map-ip-addresses-to-users/configure-user-mapping-for-terminal-server-users

• Question 167:

  While analyzing the Traffic log, you see that some entries show "unknown-tcp" in the Application column What best explains these occurrences?

  A. A handshake took place, but no data packets were sent prior to the timeout.
  B. A handshake took place; however, there were not enough packets to identify the application.
  C. A handshake did take place, but the application could not be identified.
  D. A handshake did not take place, and the application could not be identified.
  C. A handshake did take place, but the application could not be identified.

  ---

  Explanation

• Question 168:

  A firewall administrator wants to have visibility on one segment of the company network. The traffic on the segment is routed on the Backbone switch. The administrator is planning to apply Security rules on segment X after getting the visibility.

  There is already a PAN-OS firewall used in L3 mode as an internet gateway, and there are enough system resources to get extra traffic on the firewall. The administrator needs to complete this operation with minimum service interruptions and without making any IP changes.

  What is the best option for the administrator to take?

  A. Configure the TAP interface for segment X on the firewall.
  B. Configure vwire interfaces for segment X on the firewall.
  C. Configure a Layer 3 interface for segment X on the firewall.
  D. Configure a new vsys for segment X on the firewall.
  B. Configure vwire interfaces for segment X on the firewall.

  ---

  Explanation

• Question 169:

  Which three multi-factor authentication methods can be used to authenticate access to the firewall? (Choose three.)

  A. One-time password
  B. User certificate
  C. Voice
  D. SMS
  E. Fingerprint
  A. One-time password
  B. User certificate
  D. SMS

  ---

  Explanation

  The firewall can use three multi-factor authentication methods to authenticate access to the firewall: SMS, user certificate, and one-time password. These methods can be used in combination with other authentication factors, such as username and password, to provide stronger security for accessing the firewall web interface or CLI. The firewall can integrate with various MFA vendors that support these methods through RADIUS or SAML protocols. Voice and fingerprint are not supported by the firewall as MFA methods.

  References: MFA Vendor Support, PCNSE Study Guide (page 48)

• Question 170:

  A client has a sensitive application server in their data center and is particularly concerned about resource exhaustion because of distributed denial-of-service attacks. How can the Palo Alto Networks NGFW be configured to specifically protect this server against resource exhaustion originating from multiple IP addresses (DDoS attack)?

  A. Define a custom App-ID to ensure that only legitimate application traffic reaches the server.
  B. Add a Vulnerability Protection Profile to block the attack.
  C. Add QoS Profiles to throttle incoming requests.
  D. Add a DoS Protection Profile with defined session count.
  D. Add a DoS Protection Profile with defined session count.

  ---

  Explanation

  https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/zone-protection-and-dos-protection/zone-defense/dos-protection-profiles-and-policy-rules/dos-protection-profiles.html