Palo Alto Networks Palo Alto Networks Certifications PCNSE Questions & Answers

• Question 211:

  DRAG DROP

  Place the steps to onboard a ZTP firewall into Panorama/CSP/ZTP-Service in the correct order.

  Select and Place:

  

  Correct Answer:

  

  Reference: https://docs.paloaltonetworks.com/panorama/9-1/panorama-admin/manage-firewalls/set-up-zero-touch-provisioning/ztp-overview/ztp-configuration-elements.html

• Question 212:

  DRAG DROP

  Please match the terms to their corresponding definitions.

  Select and Place:

  

  Correct Answer:

  

• Question 213:

  DRAG DROP

  Match each SD-WAN configuration element to the description of that element.

  Select and Place:

  

  Correct Answer:

  

  An SD-WAN Interface Profile specifies the Tag that you apply to the physical interface, and also specifies the type of Link that interface is (ADSL/DSL, cable modem, Ethernet, fiber, LTE/3G/4G/5G, MPLS, microwave/radio, satellite, WiFi, or other). The Interface Profile is also where you specify the maximum upload and download speeds (in Mbps) of the ISP's connection. You can also change whether the firewall monitors the path frequently or not; the firewall monitors link types appropriately by default. A Layer3 Ethernet Interface with an IPv4 address can support SD-WAN functionalities. You apply an SD-WAN Interface Profile to this interface (red arrow) to indicate the characteristics of the interface. The blue arrow indicates that physical Interfaces are referenced and grouped in a virtual SD-WAN Interface. A virtual SD-WAN Interface is a VPN tunnel or DIA group of one or more interfaces that constitute a numbered, virtual SD-WAN Interface to which you can route traffic. The paths belonging to an SD-WAN Interface all go to the same destination WAN and are all the same type (either DIA or VPN tunnel). (Tag A and Tag B indicate that physical interfaces for the virtual interface can have different tags.) A Path Quality Profile specifies maximum latency, jitter, and packet loss thresholds. Exceeding a threshold indicates that the path has deteriorated and the firewall needs to select a new path to the target. A sensitivity setting of high, medium, or low lets you indicate to the firewall which path monitoring parameter is more important for the applications to which the profile applies. The green arrow indicates that you reference a Path Quality Profile in one or more SD-WAN Policy Rules; thus, you can specify different thresholds for rules applied to packets having different applications, services, sources, destinations, zones, and users. A Traffic Distribution Profile specifies how the firewall determines a new best path if the current preferred path exceeds a path quality threshold. You specify which Tags the distribution method uses to narrow its selection of a new path; hence, the yellow arrow points from Tags to the Traffic Distribution profile. A Traffic Distribution profile specifies the distribution method for the rule. The preceding elements come together in SD-WAN Policy Rules The purple arrow indicates that you reference a Path Qualify Profile and a Traffic Distribution profile in a rule, along with packet applications/services, sources, destinations, and users to specifically indicate when and how the firewall performs application-based SD-WAN path selection for a packet not belonging to a session.

  https://docs.paloaltonetworks.com/sd-wan/1-0/sd-wan-admin/sd-wan-overview/sd-wan- configuration-elements.html

• Question 214:

  DRAG DROP

  Match each GlobalProtect component to the purpose of that component

  Select and Place:

  

  Correct Answer:

  

  The GlobalProtect portal provides the management functions for your GlobalProtect infrastructure The GlobalProtect gateways provide security enforcement for traffic from GlobalProtect apps The GlobalProtect app software runs on endpoints and enables access to your network resources

• Question 215:

  DRAG DROP Match each type of DoS attack to an example of that type of attack

  Select and Place:

  

  Correct Answer:

  

  Plan to defend your network against different types of DoS attacks:

  Application-Based Attacks

  --Target weaknesses in a particular application and try to exhaust its resources so legitimate users can't use it. An example of this is the Slowloris attack.

  Protocol-Based Attacks

  --Also known as state-exhaustion attacks, these attacks target protocol weaknesses. A common example is a SYN flood attack.

  Volumetric Attacks

  --High-volume attacks that attempt to overwhelm the available network resources, especially bandwidth, and bring down the target to prevent legitimate users from accessing those resources. An example of this is a UDP flood attack.

  https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/zone-protection-and-dos-protection/zone-defense.html

• Question 216:

  DRAG DROP

  Place the steps in the WildFire process workflow in their correct order.

  Select and Place:

  

  Correct Answer:

  

  

  https://docs.paloaltonetworks.com/wildfire/9-1/wildfire-admin/wildfire-overview/about-wildfire.html

• Question 217:

  Based on the screenshots above, and with no configuration inside the Template Stack itself, what access will the device permit on its Management port?

  

  

  A. The firewall will allow HTTP, Telnet, HTTPS, SSH, and Ping from IP addresses defined as $permitted-subnet-2.

  B. The firewall will allow HTTP, Telnet, HTTPS, SSH, and Ping from IP addresses defined as $permitted-subnet-1 and Spermitted-subnet-2.

  C. The firewall will allow HTTP, Telnet, HTTPS, SSH, and Ping from IP addresses defined as $permitted-subnet-1.

  D. The firewall will allow HTTP, Telnet, SNMP, HTTPS, SSH, and Ping from IP addresses defined as $permitted-subnet-1l and $permitted-subnet-2.

  Correct Answer: C

  "- Force Template Value will as the name suggest remove any local configuratio and apply the value define the panorama template. But this is valid only for overlapping configuration" "You need to be careful, what is actually defined in the template. For example - if you decide to enable HA in the template, but after that you decide to not push it with template and just disable it again (remove the check from the "Enable HA" checkbox). This still will be part of the template, because now your template is explicitely defining HA disabled. If you made a change in the template, and later decide that you don't want to control this setting with template, you need to revert the config by clicking the green bar next to the changed value" https://live.paloaltonetworks.com/t5/panorama-discussions/panorama-force-template-value-option/td-p/496620

• Question 218:

  Which feature of Panorama allows an administrator to create a single network configuration that can be reused repeatedly for large-scale deployments even if values of configured objects, such as routes and interface addresses, change?

  A. Template stacks

  B. Template variables

  C. The Shared device group

  D. A device group

  Correct Answer: B

  Template variables are placeholders that you can use in a template or a template stack to represent values that differ across firewalls, such as IP addresses, hostnames, or interface names. Template variables allow you to create a single network configuration that can be reused repeatedly for large-scale deployments even if values of configured objects change

  1.

  Option A is incorrect because template stacks are used to group multiple templates together and apply them to firewalls or device groups. Template stacks do not allow you to use variables for different values

  2.

  Option C is incorrect because the Shared device group is used to push policies and objects that are common across all firewalls managed by Panorama. The Shared device group does not allow you to use variables for different values

  3.

  Option D is incorrect because a device group is used to group firewalls that require similar policies and objects. A device group does not allow you to use variables for different values.

• Question 219:

  A network security administrator wants to enable Packet-Based Attack Protection in a Zone Protection profile.

  What are two valid ways to enable Packet-Based Attack Protection? (Choose two.)

  A. ICMP Drop

  B. TCP Drop

  C. TCP Port Scan Block

  D. SYN Random Early Drop

  Correct Answer: AB

  https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/zone-protection-and-dos-protection/zone-defense/zone-protection-profiles/packet-based-attack-protection

• Question 220:

  Which type of policy in Palo Alto Networks firewalls can use Device-ID as a match condition?

  A. NAT

  B. DOS protection

  C. QoS

  D. Tunnel inspection

  Correct Answer: C

  The type of policy in Palo Alto Networks firewalls that can use Device-ID as a match condition is QoS. This is because Device-ID is a feature that allows the firewall to identify and classify devices on the network based on their characteristics, such as vendor, model, OS, and role1. QoS policies are used to allocate bandwidth and prioritize traffic based on various criteria, such as application, user, source, destination, and device2. By using Device-ID as a match condition in QoS policies, the firewall can apply different QoS actions to different types of devices, such as IoT devices, laptops, smartphones, etc3. This can help optimize the network performance and ensure the quality of service for critical applications and devices.