Palo Alto Networks Palo Alto Networks Certifications PCNSE Questions & Answers

• Question 161:

  Which log type is supported in the Log Forwarding profile?

  A. User-ID

  B. GlobalProtect

  C. Configuration

  D. Tunnel

  Correct Answer: D

  Log Forwarding profile.

  The profile defines the destinations for Traffic, Threat, WildFire Submission, URL Filtering, Data Filtering, ***Tunnel and Authentication logs.

  Select Objects> Log Forwarding

  and Add a profile.

• Question 162:

  A firewall engineer needs to update a company's Panorama-managed firewalls to the latest version of PAN-OS. Strict security requirements are blocking internet access to Panorama and to the firewalls. The PAN-OS images have previously been downloaded to a secure host on the network.

  Which path should the engineer follow to deploy the PAN-OS images to the firewalls?

  A. Upload the image to Panorama > Device Deployment > Software menu, and deploy it to the firewalls.

  B. Upload the image to Panorama > Device Deployment > Dynamic Updates menu, and deploy it to the firewalls.

  C. Upload the image to Panorama > Software menu, and deploy it to the firewalls.

  D. Upload the image to Panorama > Dynamic Updates menu, and deploy it to the firewalls.

  Correct Answer: A

• Question 163:

  Which link is responsible for synchronizing sessions between high availability (HA) peers?

  A. HA1

  B. HA3

  C. HA4

  D. HA2

  Correct Answer: D

• Question 164:

  An engineer is tasked with decrypting web traffic in an environment without an established PKI When using a self-signed certificate generated on the firewall which type of certificate should be in? approved web traffic?

  A. An Enterprise Root CA certificate

  B. The same certificate as the Forward Trust certificate

  C. A Public Root CA certificate

  D. The same certificate as the Forward Untrust certificate

  Correct Answer: B

• Question 165:

  Forwarding of which two log types is configured in Device > Log Settings? (Choose two.)

  A. Threat

  B. HIP Match

  C. Traffic

  D. Configuration

  Correct Answer: AC

• Question 166:

  A consultant advises a client on designing an explicit Web Proxy deployment on PAN-OS 11.0. The client currently uses RADIUS authentication in their environment.

  Which two pieces of information should the consultant provide regarding Web Proxy authentication? (Choose two.)

  A. Kerberos or SAML authentication need to be configured.

  B. RADIUS is only supported for a transparent Web Proxy.

  C. RADIUS is not supported for explicit or transparent Web Proxy.

  D. LDAP or TACACS+ authentication need to be configured.

  Correct Answer: AC

  For the explicit proxy method, the request contains the destination IP address of the configured proxy and the client browser sends requests to the proxy directly. You can use one of following methods to authenticate users with the explicit

  proxy:

  Kerberos, which requires a web proxy license.

  SAML 2.0, which requires Panorama, a Prisma Access license, the Cloud Services 3.2.1 plugin (and later versions), and the add-on web proxy license. Cloud Identity Engine, which requires Panorama, a Prisma Access license, the Cloud

  Services 3.2.1 plugin (and later versions), and the add-on web proxy license.

  https://docs.paloaltonetworks.com/pan-os/11-0/pan-os-new-features/networking-features/web-proxy#id3d1ea0dd-360f-44ee-8c48-30678c80d509_id2b5c6385-2ec6-4ba8-b1f1-2bea8b5139f5

• Question 167:

  A customer wants to deploy User-ID on a Palo Alto Networks NGFW with multiple vsys. One of the vsys will support a GlobalProtect portal and gateway. The customer uses Windows Active Directory for authentication.

  What is the most operationally efficient way to redistribute the most accurate IP addresses to username mappings?

  A. Deploy a PAN-OS integrated User-ID agent on each vsys

  B. Deploy the GlobalProtect vsys as a User-ID data hub

  C. Deploy a M-200 as a User-ID collector

  D. Deploy Windows User-ID agents on each domain controller

  Correct Answer: B

  https://docs.paloaltonetworks.com/pan-os/11-0/pan-os-admin/user-id/deploy-user-id-in-a-large-scale-network/share-user-id-mappings-across-vsys

• Question 168:

  A security engineer wants to upgrade the company's deployed firewalls from PAN-OS 10.1 to 11.0.x to take advantage of the newTLSv1.3 support for management access.

  What is the recommended upgrade path procedure from PAN-OS 10.1 to 11.0.x?

  A. Required: Download and install the latest preferred PAN-OS 10.1 maintenance release and reboot. Required: Download PAN-OS 10.2.0. Optional: Install the latest preferred PAN-OS 10.2 maintenance release. Required: Download PAN-OS 11.0.0. Required: Download and install the desired PAN-OS 11.0.x.

  B. Optional: Download and install the latest preferred PAN-OS 10.1 release. Optional: Install the latest preferred PAN-OS 10.2 maintenance release. Required: Download PAN-OS 11.0.0. Required: Download and install the desired PAN-OS 11.0.x.

  C. Required: Download PAN-OS 10.2.0 or earlier release that is not EOL. Required: Download and install the latest preferred PAN-OS 10.2 maintenance release and reboot. Required: Download PAN-OS 11.0.0. Required: Download and install the desired PAN-OS 11.0.x.

  D. Required: Download and install the latest preferred PAN-OS 10.1 maintenance release and reboot. Required: Download PAN-OS 10.2.0. Required: Download and install the latest preferred PAN-OS 10.2 maintenance release and reboot. Required: Download PAN-OS 11.0.0. Required: Download and install the desired PAN-OS 11.0.x.

  Correct Answer: B

• Question 169:

  Which two actions must an engineer take to configure SSL Forward Proxy decryption? (Choose two.)

  A. Configure the decryption profile.

  B. Configure SSL decryption rules.

  C. Define a Forward Trust Certificate.

  D. Configure a SSL / TLS service profile.

  Correct Answer: BC

  https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/decryption/configure-ssl-forward-proxy

  Although Decryption profiles are optional, it is a best practice to include a Decryption profile with each Decryption policy rule to prevent weak, vulnerable protocols and algorithms from allowing questionable traffic on your network.

• Question 170:

  A firewall engineer supports a mission-critical network that has zero tolerance for application downtime. A best-practice action taken by the engineer is to configure an Applications and Threats update schedule with a new App-ID threshold of 48 hours.

  Which two additional best-practice guideline actions should be taken with regard to dynamic updates? (Choose two.)

  A. Configure an Applications and Threats update schedule with a threshold of 24 to 48 hours.

  B. Click "Review Apps" after application updates are installed in order to assess how the changes might impact Security policy.

  C. Create a Security policy rule with an application filter to always allow certain categories of new App-IDs.

  D. Select the action "download-only" when configuring an Applications and Threats update schedule.

  Correct Answer: BC

  https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/software-and-content-updates/best-practices-for-app-and-threat-content-updates/best-practices-mission-critical#id184AH00L078 Always review the new and modified App-IDs that a content release introduces, in order to assess how the changes might impact your security policy. The following topic describes the options you can use to update your security policy both before and after installing new App-IDs: Manage New and Modified App-IDs.