Palo Alto Networks PCNSE Online Practice Questions and Exam Preparation

Palo Alto Networks PCNSE Online Questions & Answers

• Question 181:

  Which feature of Panorama allows an administrator to create a single network configuration that can be reused repeatedly for large-scale deployments even if values of configured objects, such as routes and interface addresses, change?

  A. Template stacks
  B. Template variables
  C. The Shared device group
  D. A device group
  B. Template variables

  ---

  Explanation

  Template variables are placeholders that you can use in a template or a template stack to represent values that differ across firewalls, such as IP addresses, hostnames, or interface names. Template variables allow you to create a single network configuration that can be reused repeatedly for large-scale deployments even if values of configured objects change

  1.Option A is incorrect because template stacks are used to group multiple templates together and apply them to firewalls or device groups. Template stacks do not allow you to use variables for different values

  2.Option C is incorrect because the Shared device group is used to push policies and objects that are common across all firewalls managed by Panorama. The Shared device group does not allow you to use variables for different values

  3.Option D is incorrect because a device group is used to group firewalls that require similar policies and objects. A device group does not allow you to use variables for different values.

• Question 182:

  Refer to the image.

  

  An administrator is tasked with correcting an NTP service configuration for firewalls that cannot use the Global template NTP servers. The administrator needs to change the IP address to a preferable server for this template stack but cannot impact other template stacks.

  How can the issue be corrected?

  A. Override the value on the NYCFW template.
  B. Override a template value using a template stack variable.
  C. Override the value on the Global template.
  D. Enable "objects defined in ancestors will take higher precedence" under Panorama settings.
  B. Override a template value using a template stack variable.

  ---

  Explanation

  Both templates and template stacks support variables. Variables allow you to create placeholder objects with their value specified in the template or template stack based on your configuration needs. Create a template or template stack variable to replace IP addresses, Group IDs, and interfaces in your configurations. https://docs.paloaltonetworks.com/panorama/10-0/panorama-admin/manage-firewalls/manage-templates-and-template-stacks/override-a-templatesetting.html

• Question 183:

  After pushing a security policy from Panorama to a PA-3020 firwall, the firewall administrator notices that traffic logs from the PA-3020 are not appearing in Panorama's traffic logs. What could be the problem?

  A. A Server Profile has not been configured for logging to this Panorama device.
  B. Panorama is not licensed to receive logs from this particular firewall.
  C. The firewall is not licensed for logging to this Panorama device.
  D. None of the firwwall's policies have been assigned a Log Forwarding profile
  D. None of the firwwall's policies have been assigned a Log Forwarding profile

  ---

  Explanation

• Question 184:

  An administrator needs to troubleshoot a User-ID deployment The administrator believes that there is an issue related to LDAP authentication The administrator wants to create a packet capture on the management plane. Which CLI command should the administrator use to obtain the packet capture for validating the configuration?

  A. > ftp export mgmt-pcap from mgmt.pcap to
  B. > scp export mgmt-pcap from mgmt.pcap to {username@host:path>
  C. > scp export pcap-mgmt from pcap.mgmt to (username@host:path)
  D. > scp export pcap from pcap to (usernameQhost:path)
  B. > scp export mgmt-pcap from mgmt.pcap to {username@host:path>

  ---

  Explanation

• Question 185:

  The SSL Forward Proxy decryption policy is configured. The following four certificate authority (CA) certificates are installed on the firewall.

  

  An end-user visits the untrusted website https //www firewall-do-not-trust-website com.

  Which certificate authority (CA) certificate will be used to sign the untrusted webserver certificate?

  A. Forward-Untrust-Certificate
  B. Forward-Trust-Certificate
  C. Firewall-CA
  D. Firewall-Trusted-Root-CA
  B. Forward-Trust-Certificate

  ---

  Explanation

• Question 186:

  Forwarding of which two log types is configured in Device > Log Settings? (Choose two.)

  A. Threat
  B. HIP Match
  C. Traffic
  D. Configuration
  A. Threat
  C. Traffic

  ---

  Explanation

• Question 187:

  Refer to the exhibit.

  

  An administrator is using DNAT to map two servers to a single public IP address. Traffic will be steered to the specific server based on the application, where Host A (10.1.1.100) receives HTTP traffic and HOST B (10.1.1.101) receives SSH traffic.)

  Which two security policy rules will accomplish this configuration? (Choose two.)

  A. Untrust (Any) to DMZ (10.1.1.100.10.1.1.101), ssh, web-browsing -Allow
  B. Untrust (Any) to DMZ (1.1.1.100), web-browsing -Allow
  C. Untrust (Any) to Untrust (10.1.1.1), web-browsing -Allow
  D. Untrust (Any) to Untrust (10.1.1.1), SSH -Allow
  E. Untrust (Any) to DMZ (1.1.1.100), SSH -Allow
  B. Untrust (Any) to DMZ (1.1.1.100), web-browsing -Allow
  E. Untrust (Any) to DMZ (1.1.1.100), SSH -Allow

  ---

  Explanation

  https://docs.paloaltonetworks.com/pan-os/8-0/pan-os-admin/networking/nat/nat-configuration-examples/destination-nat-exampleone-to-many-mapping#

• Question 188:

  You have been asked to implement GlobalProtect for your organization. You have decided on https://gp.mycompany.com for your Portal, and have received the certificate and key. Where would you navigate to on the firewall UI to import the certificate?

  A. Device > Certificate Management > Device Certificates > Certificates
  B. Device Certificates > Certificate Management > Certificates > Device
  C. Device > Device Certificates > Certificate Management > Certificates
  D. Device > Certificate Management > Certificates > Device Certificates
  D. Device > Certificate Management > Certificates > Device Certificates

  ---

  Explanation

• Question 189:

  While troubleshooting an issue, a firewall administrator performs a packet capture with a specific filter. The administrator sees drops for packets with a source IP address of 10.1.1.1. How can the administrator further investigate these packet drops by looking at the global counters for this packet capture filter?

  A. > show counter global filter packet-filter yes delta yes
  B. > show counter global filter severity drop
  C. > debug dataplane packet-diag set capture stage drop
  D. > show counter global filter delta yes I match 10.1.1-1
  A. > show counter global filter packet-filter yes delta yes

  ---

  Explanation

• Question 190:

  A network security engineer has a requirement to allow an external server to access an internal web server. The internal web server must also initiate connections with the external server.

  What can be done to simplify the NAT policy?

  A. Configure ECMP to handle matching NAT traffic
  B. Configure a NAT Policy rule with Dynamic IP and Port
  C. Create a new Source NAT Policy rule that matches the existing traffic and enable the Bi-directional option
  D. Create a new Destination NAT Policy rule that matches the existing traffic and enable the Bi-directional option
  C. Create a new Source NAT Policy rule that matches the existing traffic and enable the Bi-directional option

  ---

  Explanation

  https://www.paloaltonetworks.com/documentation/70/pan-os/pan-os/networking/nat-configuration-examples