Palo Alto Networks PCNSE Online Practice Questions and Exam Preparation

Palo Alto Networks PCNSE Online Questions & Answers

• Question 221:

  You have upgraded Panorama to 10.2 and need to upgrade six Log Collectors. When upgrading Log Collectors to 10.2, you must do what?

  A. Upgrade the Log Collectors one at a time.
  B. Add Panorama Administrators to each Managed Collector.
  C. Add a Global Authentication Profile to each Managed Collector.
  D. Upgrade all the Log Collectors at the same time.
  D. Upgrade all the Log Collectors at the same time.

  ---

  Explanation

  You must upgrade all Log Collectors in a collector group at the same time to avoid losing log data

  https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-upgrade/upgrade-panorama/deploy-updates-to-firewalls-log-collectors-and-wildfire-appliances-using-panorama/deploy-an-update-to-log-collectors-when-panorama-is-internet-connected

• Question 222:

  Starting with PAN-OS version 9.1, Global logging information is now recoded in which firewall log?

  A. Authentication
  B. Globalprotect
  C. Configuration
  D. System
  D. System

  ---

  Explanation

• Question 223:

  A superuser is tasked with creating administrator accounts for three contractors For compliance purposes, all three contractors will be working with different device-groups in their hierarchy to deploy policies and objects.

  Which type of role-based access is most appropriate for this project?

  A. Create a Dynamic Admin with the Panorama Administrator role
  B. Create a Custom Panorama Admin
  C. Create a Device Group and Template Admin
  D. Create a Dynamic Read only superuser
  C. Create a Device Group and Template Admin

  ---

  Explanation

  A Custom Panorama Admin is a type of role-based access that allows a super user to create separate Panorama administrator accounts for each of the three contractors. This will allow each contractor to work with different device-groups in their hierarchy and deploy policies and objects in accordance with the organization's compliance requirements. The Custom Panorama Admin role also allows the super user to assign separate permissions to each contractor's account, granting them access to only the resources they are authorized to use. This type of role-based access is the most appropriate for this project as it will ensure that each contractor is only able to access the resources they need in order to do their job.

• Question 224:

  Which two items must be configured when implementing application override and allowing traffic through the firewall? (Choose two.)

  A. Application filter
  B. Application override policy rule
  C. Security policy rule
  D. Custom app
  B. Application override policy rule
  C. Security policy rule

  ---

  Explanation

  When implementing an application override in a Palo Alto Networks firewall, the primary goal is to explicitly define how specific traffic is identified and processed by the firewall, bypassing the regular App-ID process. This is particularly useful for traffic that might be misidentified by App-ID or for applications that require special handling for performance reasons.

  To successfully implement application override, the following items must be configured:

  Application override policy rule:This is a specialized policy rule that you create to specify the criteria for the traffic you want to override. In this rule, you define the source and destination zones, addresses, and ports. Instead of relying on the App-ID engine to identify the application, the firewall uses the criteria defined in the application override policy to classify the traffic. Security policy rule:After defining an application override policy, you must also configure a security policy rule to allow the overridden traffic through the firewall. This rule specifies the action (allow, deny, drop, etc.) for the traffic that matches the application override policy. It's essential to ensure that the security policy rule matches the traffic defined in the application override policy to ensure that the intended traffic is allowed through the firewall.

  For detailed guidance on configuring application override and the necessary security policies, refer to the official Palo Alto Networks documentation. This resource provides step-by-step instructions and best practices for effectively managing traffic using application overrides.

• Question 225:

  A logging infrastructure may need to handle more than 10,000 logs per second.

  Which two options support a dedicated log collector function? (Choose two)

  A. Panorama virtual appliance on ESX(i) only
  B. M-500
  C. M-100 with Panorama installed
  D. M-100
  B. M-500
  C. M-100 with Panorama installed

  ---

  Explanation

  (https://live.paloaltonetworks.com/t5/Management-Articles/Panorama-Sizing-and-Design-Guide/ta-p/72181)

• Question 226:

  Refer to the exhibit.

  

  Based on the screenshots above what is the correct order in which the various rules are deployed to firewalls inside the DATACENTER_DG device group?

  A. shared pre-rules DATACENTER DG pre rules rules configured locally on the firewall shared post-rules DATACENTER_DG post-rules DATACENTER.DG default rules
  B. shared pre-rules DATACENTER_DG pre-rules rules configured locally on the firewall shared post-rules DATACENTER.DG post-rules shared default rules
  C. shared pre-rules DATACENTER_DG pre-rules rules configured locally on the firewall DATACENTER_DG post-rules shared post-rules shared default rules
  D. shared pre-rules DATACENTER_DG pre-rules rules configured locally on the firewall DATACENTER_DG post-rules shared post-rules DATACENTER_DG default rules
  D. shared pre-rules DATACENTER_DG pre-rules rules configured locally on the firewall DATACENTER_DG post-rules shared post-rules DATACENTER_DG default rules

  ---

  Explanation

• Question 227:

  An engineer is monitoring an active/active high availability (HA) firewall pair.

  Which HA firewall state describes the firewall that is currently processing traffic?

  A. Passive
  B. Initial
  C. Active
  D. Active-primary
  D. Active-primary

  ---

  Explanation

  https://docs.paloaltonetworks.com/pan-os/11-1/pan-os-admin/high-availability/ha-firewall-states

• Question 228:

  The certificate information displayed in the following image is for which type of certificate? Exhibit:

  

  A. Forward Trust certificate
  B. Self-Signed Root CA certificate
  C. Web Server certificate
  D. Public CA signed certificate
  B. Self-Signed Root CA certificate

  ---

  Explanation

• Question 229:

  A client is concerned about resource exhaustion because of denial-of-service attacks against their DNS servers. Which option will protect the individual servers?

  A. Enable packet buffer protection on the Zone Protection Profile.
  B. Apply an Anti-Spyware Profile with DNS sinkholing.
  C. Use the DNS App-ID with application-default.
  D. Apply a classified DoS Protection Profile.
  D. Apply a classified DoS Protection Profile.

  ---

  Explanation

  https://docs.paloaltonetworks.com/pan-os/8-0/pan-os-admin/zone-protection-and-dos-protection/zone-defense/dos-protection-profiles-and-policy-rules/dos-protection-profiles

  To protect critical web or DNS servers on your network, protect the individual servers. To do this, set appropriate flooding and resource protection thresholds in a DoS protection profile, and create a DoS protection policy rule that applies the profile to each server's IP address by adding the IP addresses as the rule's destination criteria.

• Question 230:

  A firewall administrator notices that many Host Sweep scan attacks are being allowed through the firewall sourced from the outside zone. What should the firewall administrator do to mitigate this type of attack?

  A. Create a DOS Protection profile with SYN Flood protection enabled and apply it to all rules allowing traffic from the outside zone
  B. Enable packet buffer protection in the outside zone.
  C. Create a Security rule to deny all ICMP traffic from the outside zone.
  D. Create a Zone Protection profile, enable reconnaissance protection, set action to Block, and apply it to the outside zone.
  D. Create a Zone Protection profile, enable reconnaissance protection, set action to Block, and apply it to the outside zone.

  ---

  Explanation