Palo Alto Networks PCNSE Online Practice Questions and Exam Preparation

Palo Alto Networks PCNSE Online Questions & Answers

• Question 231:

  On the NGFW. how can you generate and block a private key from export and thus harden your security posture and prevent rogue administrators or other bad actors from misusing keys?

  A. 1.Select Device > Certificate Management > Certificates >Devace > Certificates 2.Import the certificate. 3.Select Import Private Key 4.Click Generate to generate the new certificate
  B. 1. Select Device > Certificates 2.Select Certificate Profile 3.Generate the certificate 4.Select Block Private Key Export.
  C. 1. Select Device > Certificates 2.Select Certificate Profile. 3.Generate the certificate 4.Select Block Private Key Export
  D. 1. Select Device > Certificate Management > Certificates > Device > Certificates 2.Generate the certificate 3.Select Block Private Key Export 4.Click Genet ale to generate the new certificate.
  D. 1. Select Device > Certificate Management > Certificates > Device > Certificates 2.Generate the certificate 3.Select Block Private Key Export 4.Click Genet ale to generate the new certificate.

  ---

  Explanation

  https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-new-features/decryption-features/block-export-of-private-keys.html https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/decryption/block-private-key-export

• Question 232:

  An administrator has been asked to configure active/active HA for a pair of Palo Alto Networks NGFWs. The firewall use Layer 3 interfaces to send traffic to a single gateway IP for the pair. Which configuration will enable this HA scenario?

  A. The two firewalls will share a single floating IP and will use gratuitous ARP to share the floating IP.
  B. Each firewall will have a separate floating IP, and priority will determine which firewall has the primary IP.
  C. The firewalls do not use floating IPs in active/active HA.
  D. The firewalls will share the same interface IP address, and device 1 will use the floating IP if device 0 fails.
  A. The two firewalls will share a single floating IP and will use gratuitous ARP to share the floating IP.

  ---

  Explanation

  Each HA firewall interface has its own IP address and floating IP. The interface IP address remains local to the firewall, but the floating IP address moves between the firewalls upon firewall failure. You configure the end hosts to use a floating IP address as its default gateway, thus allowing you to load balance traffic to the two HA peers. You also can use external load balancers to load balance traffic.If a link or firewall fails or a path monitoring event causes a failover, the floating IP address and virtual MAC address move over to the functional firewall. (In the figure that follows, each firewall has two floating IP addresses and virtual MAC addresses; they all move over if the firewall fails.) The functioning firewall sends a gratuitous ARP to update the MAC tables of the connected switches to inform them of the change in floating IP address and MAC address ownership to redirect traffic to itself.

• Question 233:

  A firewall administrator wants to avoid overflowing the company syslog server with traffic logs. What should the administrator do to prevent the forwarding of DNS traffic logs to syslog?

  A. Disable logging on security rules allowing DNS.
  B. Go to the Log Forwarding profile used to forward traffic logs to syslog. Then, under traffic logs match list, create a new filter with application not equal to DNS.
  C. Create a security rule to deny DNS traffic with the syslog server in the destination
  D. Go to the Log Forwarding profile used to forward traffic logs to syslog. Then, under traffic logs match list, create a new filter with application equal to DNS.
  B. Go to the Log Forwarding profile used to forward traffic logs to syslog. Then, under traffic logs match list, create a new filter with application not equal to DNS.

  ---

  Explanation

• Question 234:

  Your company wants greater visibility into their traffic and has asked you to start planning an SSL Decryption project. The company does not have a PKI infrastructure, and multiple certificates would be needed for this project. Which type of certificate can you use to generate other certificates?

  A. self-signed root CA
  B. external CA certificate
  C. server certificate
  D. device certificate
  A. self-signed root CA

  ---

  Explanation

  https://docs.paloaltonetworks.com/best-practices/9-1/decryption-best-practices/decryption-best-practices/plan-ssl-decryption-best-practice-deployment

• Question 235:

  Which two are required by IPSec in transport mode? (Choose two.)

  A. Auto generated key
  B. NAT Traversal
  C. IKEv1
  D. DH-group 20 (ECP-384 bits)
  A. Auto generated key
  D. DH-group 20 (ECP-384 bits)

  ---

  Explanation

  https://docs.paloaltonetworks.com/pan-os/11-0/pan-os-new-features/networking-features/ipsec-transport-mode

• Question 236:

  Exhibit.

  

  Given the screenshot, how did the firewall handle the traffic?

  A. Traffic was allowed by policy but denied by profile as encrypted.
  B. Traffic was allowed by policy but denied by profile as a threat.
  C. Traffic was allowed by profile but denied by policy as a threat.
  D. Traffic was allowed by policy but denied by profile as a nonstandard port.
  B. Traffic was allowed by policy but denied by profile as a threat.

  ---

  Explanation

• Question 237:

  In order to fulfill the corporate requirement to back up the configuration of Panorama and the Panorama-managed firewalls securely which protocol should you select when adding a new scheduled config export?

  A. HTTPS
  B. FTP
  C. SMB v3
  D. SCP
  D. SCP

  ---

  Explanation

  https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-web-interface-help/panorama-web-interface/panorama-scheduled-config-export "Select the protocol to use to export logs from Panorama to a remote host. Secure Copy (SCP) is a secure protocol; FTP is not."

• Question 238:

  What does SSL decryption require to establish a firewall as a trusted third party and to establish trust between a client and server to secure an SSL/TLS connection?

  A. link state
  B. stateful firewall connection
  C. certificates
  D. profiles
  C. certificates

  ---

  Explanation

  https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-admin/decryption/decryption-overview.html#:~:text=SSL%20decryption%20(both%20forward%20proxy,secure%20an%20SSL%2FTLS%20connection.

• Question 239:

  What is the best definition of the Heartbeat Interval?

  A. The interval in milliseconds between hello packets
  B. The frequency at which the HA peers check link or path availability
  C. The frequency at which the HA peers exchange ping
  D. The interval during which the firewall will remain active following a link monitor failure
  C. The frequency at which the HA peers exchange ping

  ---

  Explanation

  The firewalls exchange hello messages and heartbeats at configurable intervals to verify that the peer firewall is responsive and operational. Hello messages are sent from one peer to the other to verify the state of the firewall. The heartbeat is an ICMP ping to the HA peer. A response from the peer indicates that the firewalls are connected and responsive.

  "A "heartbeat-interval" CLI command was added to the election settings for HA, this interval has a 1000ms minimum for all Palo Alto Networks platforms and is an ICMP ping to the other device through the HA control link." https:// knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClMaCAK

• Question 240:

  Which Public Key infrastructure component is used to authenticate users for GlobalProtect when the Connect Method is set to pre-logon?

  A. Certificate revocation list
  B. Trusted root certificate
  C. Machine certificate
  D. Online Certificate Status Protocol
  C. Machine certificate

  ---

  Explanation