Palo Alto Networks Palo Alto Networks Certifications PCNSE Questions & Answers

• Question 201:

  Review the information below. A firewall engineer creates a U-NAT rule to allow users in the trust zone access to a server in the same zone by using an external, public NAT IP for that server.

  Given the rule below, what change should be made to make sure the NAT works as expected?

  

  A. Change destination NAT zone to Trust_L3.

  B. Change destination translation to Dynamic IP (with session distribution) using firewall ethI/2 address.

  C. Change Source NAT zone to Untrust_L3.

  D. Add source Translation to translate original source IP to the firewall eth1/2 interface translation.

  Correct Answer: D

• Question 202:

  An engineer manages a high availability network and requires fast failover of the routing protocols. The engineer decides to implement BFD. Which three dynamic routing protocols support BFD? (Choose three.)

  A. OSPF

  B. RIP

  C. BGP

  D. IGRP

  E. OSPFv3 virtual link

  Correct Answer: ABC

  https://docs.paloaltonetworks.com/pan-os/11-0/pan-os-networking-admin/bfd/bfd-overview/bfd-for-dynamic-routing-protocols

• Question 203:

  An administrator is troubleshooting why video traffic is not being properly classified. If this traffic does not match any QoS classes, what default class is assigned?

  A. 1

  B. 2

  C. 3

  D. 4

  Correct Answer: D

  The default class that is assigned to traffic that does not match any QoS classes is class 4. Class 4 is the default class for any session not matched to a QoS policy. QoS policy, like security policy, is processed top to bottom and the first policy match will be applied. If no policy match is found, the traffic is assigned to class 412. Option A is incorrect because class 1 is not the default class for unmatched traffic. Class 1 is a user-defined class that can be used to assign traffic based on QoS policy criteria. Option B is incorrect because class 2 is not the default class for unmatched traffic. Class 2 is a user-defined class that can be used to assign traffic based on QoS policy criteria. Option C is incorrect because class 3 is not the default class for unmatched traffic. Class 3 is a user-defined class that can be used to assign traffic based on QoS policy criteria.

• Question 204:

  An ISP manages a Palo Alto Networks firewall with multiple virtual systems for its tenants.

  Where on this firewall can the ISP configure unique service routes for different tenants?

  A. Setup > Services > Virtual Systems > Set Location > Service Route Configuration > Inherit Global Service Route Configuration

  B. Setup > Services > Global > Service Route Configuration > Customize

  C. Setup > Services > Virtual Systems > Set Location > Service Route Configuration > Customize

  D. Setup > Services > Global > Service Route Configuration > Use Management Interface for all

  Correct Answer: C

  The best option for the ISP to configure unique service routes for different tenants is to use the Setup > Services > Virtual Systems > Set Location > Service Route Configuration > Customize option on the firewall. This option allows the ISP to customize the service routes for each virtual system that represents a tenant. A service route is the path from the interface to the service on a server, such as DNS, email, or Panorama. By customizing the service routes for each virtual system, the ISP can ensure that each tenant uses a different interface or IP address to access these services. Option A is incorrect because it is used to inherit the global service route configuration for a virtual system, not to customize it. Option B is incorrect because it is used to customize the global service route configuration for all virtual systems, not for a specific one. Option D is incorrect because it is used to use the management interface for all service routes, not to customize them.

• Question 205:

  When using SSH keys for CLI authentication for firewall administration, which method is used for authorization?

  A. Local

  B. LDAP

  C. Kerberos

  D. Radius

  Correct Answer: A

  When using SSH keys for CLI authentication for firewall administration, the method used for authorization is local. This is described in the Palo Alto Networks PCNSE Study Guide in Chapter 4: Authentication and Authorization, under the

  section "CLI Authentication with SSH Keys":

  "SSH keys use public key cryptography to authenticate users, but they do not provide a mechanism for authorization. Therefore, when using SSH keys for CLI authentication, authorization is always performed locally on the firewall."

• Question 206:

  An engineer reviews high availability (HA) settings to understand a recent HA failover event. Review the screenshot below.

  

  Which timer determines the frequency at which the HA peers exchange messages in the form of an ICMP (ping)

  A. Hello Interval

  B. Promotion Hold Time

  C. Heartbeat Interval

  D. Monitor Fail Hold Up Time

  Correct Answer: A

  The heartbeat interval determines the frequency at which the HA peers exchange messages in the form of an ICMP (ping). The default value is 1000 milliseconds (1 second). The heartbeat interval is used to detect failures and trigger fail over in an HA pair The other options are not correct. The hello interval determines the frequency at which the HA peers exchange messages in the form of an HA packet. The default value is 3000 milliseconds (3 seconds). The hello interval is used to establish and maintain HA connectivity The promotion hold time determines the amount of time that a passive firewall waits before it becomes active after detecting a failure on the active firewall. The default value is 5000 milliseconds (5 seconds) The monitor fail hold up time determines the amount of time that a firewall waits before it declares a monitor failure after detecting a link down event on an interface. The default value is 2000 milliseconds (2 seconds)

  References: https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/high-availability/ha-concepts/ha-timers

• Question 207:

  An administrator connected a new fiber cable and transceiver to interface Ethernetl/l on a Palo Alto Networks firewall. However, the link does not seem to be coming up.

  If an administrator were to troubleshoot, how would they confirm the transceiver type, tx-power, rx-power, vendor name, and part number via the CLI?

  A. show system state filter sw.dev.interface.config

  B. show chassis status slot s1

  C. show system state filter-pretty sys.s1.*

  D. show system state filter ethernet1/1

  Correct Answer: C

  The correct syntax should be show system state filter-pretty sys.s1.p1.phy, where s is slot 1, p is port one = ethernet1/1

• Question 208:

  Which DoS Protection Profile detects and prevents session exhaustion attacks against specific destinations?

  A. Resource Protection

  B. TCP Port Scan Protection

  C. Packet Based Attack Protection

  D. Packet Buffer Protection

  Correct Answer: A

  According to the documentation, resource protection detects and prevents session exhaustion attacks against specific destinations. This type of attack uses a large number of hosts to establish as many fully established sessions as possible to consume all of a system's resources. Resource protection defines the maximum number of concurrent connections for a destination IP address or zone.

  References: Security Profile: DoS Protection Profile Palo Alto Networks https://docs.paloaltonetworks.com/network-security/security-policy/security-profiles/security-profile-dos-protection-profile

• Question 209:

  DRAG DROP

  Below are the steps in the workflow for creating a Best Practice Assessment in a firewall and Panorama configuration Place the steps in order.

  Select and Place:

  

  Correct Answer:

  

  Step 1. In either the NGFW or in Panorama, on the Operations/Support tab, download the technical support file.

  Step 2. Log in to the Customer Support Portal (CSP) and navigate to Tools > Best Practice Assessment.

  Step 3. Upload or drag and drop the technical support file.

  Step 4. Map the zone type and area of the architecture to each zone.

  Step 5.Follow the steps to download the BPA report bundle.

• Question 210:

  DRAG DROP

  When using the predefined default profile, the policy will inspect for viruses on the decoders. Match each decoder with its default action. Answer options may be used more than once or not at all.

  Select and Place:

  

  Correct Answer: