Palo Alto Networks Palo Alto Networks Certifications PCNSE Questions & Answers

• Question 191:

  A firewall administrator has confirm reports of a website is not displaying as expected, and wants to ensure that decryption is not causing the issue.

  Which three methods can the administrator use to determine if decryption is causing the website to fail? (Choose three.)

  A. Disable SSL handshake logging

  B. Investigate decryption logs of the specific traffic to determine reasons for failure.

  C. Temporarily disable SSL decryption for all websites to troubleshoot the issue

  D. Create a policy-based "No Decrypt" rule in the decryption policy to include specific traffic from decryption.

  E. Move the policy with action decrypt to the top of the decryption policy rulebase.

  Correct Answer: BCD

• Question 192:

  All firewall at a company are currently forwarding logs to Palo Alto Networks log collectors. The company also wants to deploy a sylog server and forward all firewall logs to the syslog server and to the log collectors. There is known logging peak time during the day, and the security team has asked the firewall engineer to determined how many logs per second the current Palo Alto Networking log processing at that particular time.

  Which method is the most time-efficient to complete this task?

  A. Navigate to Panorama > Managed Collectors, and open the Statistics windows for each Log Collector during the peak time.

  B. Navigate to Monitor > Unified logs, set the filter to the peak time, and browse to the last page to find out how many logs have been received.

  C. Navigate to Panorama> Managed Devices> Health, open the Logging tab for each managed firewall and check the log rates during the peak time.

  D. Navigate to ACC> Network Activity, and determine the total number of sessions and threats during the peak time.

  Correct Answer: A

• Question 193:

  A firewall administrator is configuring an IPSec tunnel between a company's HQ and a remote location. On the HQ firewall, the interface used to terminate the IPSec tunnel has a static IP. At the remote location, the interface used to terminate the IPSec tunnel has a DHCP assigned IP address.

  Which two actions are required for this scenario to work? (Choose two.)

  A. On the HQ firewall select peer IP address type FQDN

  B. On the remote location firewall select peer IP address type Dynamic

  C. On the HQ firewall enable DDNS under the interface used for the IPSec tunnel

  D. On the remote location firewall enable DONS under the interface used for the IPSec tunnel

  Correct Answer: AC

• Question 194:

  The firewall team has been asked to deploy a new Panorama server and to forward all firewall logs to this server By default, which component of the Palo Alto Networks firewall architect is responsible for log forwarding and should be checked for early signs of overutilization?

  A. Management plane CPU

  B. Dataplane CPU

  C. Packet buffers

  D. On-chip packet descriptors

  Correct Answer: A

• Question 195:

  Which function does the HA4 interface provide when implementing a firewall cluster which contains firewalls configured as active-passive pairs?

  A. Perform packet forwarding to the active-passive peer during session setup and asymmetric traffic flow.

  B. Perform synchronization of routes, IPSec security associations, and User-ID information.

  C. Perform session cache synchronization for all HA cluster members with the same cluster ID.

  D. Perform synchronization of sessions, forwarding tables, and IPSec security associations between firewalls in an HA pair.

  Correct Answer: D

  In a High Availability (HA) configuration, particularly in an active-passive setup, it's crucial that the passive unit is kept up to date with the current state of the active unit. This ensures a seamless transition in the event of a failover. The HA4

  interface is dedicated to this synchronization task.

  Perform synchronization of sessions, forwarding tables, and IPSec security associations between firewalls in an HA pair:

  The HA4 interface is responsible for the synchronization of critical stateful information between the active and passive units in an HA pair. This includes session information, ensuring that the passive unit can continue existing sessions without

  interruption if it needs to become active.

  In addition to session information, HA4 also synchronizes forwarding tables, which contain information on how to route packets, and IPSec security associations, which are necessary for maintaining secure VPN tunnels.

  This synchronization ensures that both units in an HA pair have identical information regarding the current state of the network, sessions, and security associations, enabling a smooth and immediate transition to the passive unit in case the

  active unit fails.

• Question 196:

  What must be configured to apply tags automatically based on User-ID logs?

  A. Log Forwarding profile

  B. Device ID

  C. Log settings

  D. Group mapping

  Correct Answer: C

  Depending on the type of log you want to use for tagging, create a log forwarding profile or configure the log settings to define how you want the firewall or Panorama to handle logs. For Authentication, Data, Threat, Traffic, Tunnel Inspection, URL, and WildFire logs, create a log forwarding profile. For User-ID, GlobalProtect, and IP-Tag logs, configure the log settings.

  https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/policy/use-auto-tagging-to-automate-security-actions

• Question 197:

  A firewall engineer is tasked with defining signatures for a custom application.

  Which two sources can the engineer use to gather information about the application patterns'? (Choose two.)

  A. Traffic logs

  B. Data filtering logs

  C. Policy Optimizer

  D. Wireshark

  Correct Answer: D

• Question 198:

  Which two factors should be considered when sizing a decryption firewall deployment? (Choose two.)

  A. Number of blocked sessions

  B. TLS protocol version

  C. Encryption algorithm

  D. Number of security zones in decryption policies

  Correct Answer: BC

  According to the Palo Alto Networks documentation, decryption consumes firewall CPU resources, so it is important to evaluate the amount of SSL decryption that the firewall deployment can support. Two factors that affect the CPU consumption are the TLS protocol version and the encryption algorithm used by the encrypted traffic. The newer versions of TLS (such as TLS 1.3) and the stronger encryption algorithms (such as AES-256-GCM) require more CPU resources to decrypt than the older versions and weaker algorithms. Therefore, the correct answer is B and C. The other options are not relevant or important for sizing a decryption firewall deployment: Number of blocked sessions: This option refers to the number of sessions that the firewall blocks based on Security policy rules. It does not affect the decryption performance or resource consumption. Number of security zones in decryption policies: This option refers to the number of security zones that are used to define the source and destination of the traffic to be decrypted. It does not affect the decryption performance or resource consumption.

  References: https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/decryption/prepare-to-deploy-decryption/size-the-decryption-firewall-deployment

• Question 199:

  A firewall engineer reviews the PAN-OS GlobalProtect application and sees that it implicitly uses web-browsing and depends on SSL. When creating a new rule, what is needed to allow the application to resolve dependencies?

  A. Add SSL and web-browsing applications to the same rule.

  B. Add web-browsing application to the same rule.

  C. Add SSL application to the same rule.

  D. SSL and web-browsing must both be explicitly allowed.

  Correct Answer: C

  'Implicitly Uses' has web-browsing listed. This means that if you allow facebook-posting, that it will also be allowing the web-browsing application implicitly.. In our case, we dont know which APP the question referes too but 'Implicitly means already uses HTTP.

• Question 200:

  Given the screenshot, how did the firewall handle the traffic?

  

  A. Traffic was allowed by policy but denied by profile as encrypted.

  B. Traffic was allowed by policy but denied by profile as a threat.

  C. Traffic was allowed by profile but denied by policy as a threat.

  D. Traffic was allowed by policy but denied by profile as a nonstandard port.

  Correct Answer: B

  The screenshot shows the threat log which records the traffic that matches a threat signature or is blocked by a security profile. The log entry indicates that the traffic was allowed by the security policy rule "Allow-All" but was denied by the vulnerability protection profile "strict" as a threat. The threat name is "Microsoft Windows SMBv1 Multiple Vulnerabilities (MS17-010: EternalBlue)" and the action is "reset-both" which means that the firewall reset both the client and server connections. References: : https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/monitoring/use-syslog-for-monitoring/syslog-field-descriptions/threat-log-fields