Palo Alto Networks Palo Alto Networks Certifications PCNSE Questions & Answers

• Question 231:

  An engineer is pushing configuration from Panorama lo a managed firewall.

  What happens when the pushed Panorama configuration has Address Object names that duplicate the Address Objects already configured on the firewall?

  A. The firewall rejects the pushed configuration, and the commit fails.

  B. The firewall renames the duplicate local objects with "-1" at the end signifying they are clones; it will update the references to the objects accordingly and fully commit the pushed configuration.

  C. The firewall fully commits all of the pushed configuration and overwrites its locally configured objects

  D. The firewall ignores only the pushed objects that have the same name as the locally configured objects, and it will commit the rest of the pushed configuration.

  Correct Answer: A

• Question 232:

  Which configuration is backed up using the Scheduled Config Export feature in Panorama?

  A. Panorama running configuration

  B. Panorama candidate configuration

  C. Panorama candidate configuration and candidate configuration of all managed devices

  D. Panorama running configuration and running configuration of all managed devices

  Correct Answer: D

• Question 233:

  An administrator has configured a pair of firewalls using high availability in Active/Passive mode. Link and Path Monitoring Is enabled with the Failure Condition set to "any." There is one link group configured containing member interfaces ethernet1/1 and ethernet1/2 with a Group Failure Condition set to "all."

  Which HA state will the Active firewall go into if ethernet1/1 link goes down due to a failure?

  A. Non-functional

  B. Passive

  C. Active-Secondary

  D. Active

  Correct Answer: D

• Question 234:

  The Aggregate Ethernet interface is showing down on a passive PA-7050 firewall of an active/passive HA pair. The HA Passive Link State is set to "Auto" under Device > High Availability > General > Active/Passive Settings. The AE interface is configured with LACP enabled and is up only on the active firewall.

  Why is the AE interface showing down on the passive firewall?

  A. It does not perform pre-negotiation LACP unless "Enable in HA Passive State" is selected under the High Availability Options on the LACP tab of the AE Interface.

  B. It does not participate in LACP negotiation unless Fast Failover is selected under the Enable LACP selection on the LACP tab of the AE Interface.

  C. It participates in LACP negotiation when Fast is selected for Transmission Rate under the Enable LACP selection on the LACP tab of the AE Interface.

  D. It performs pre-negotiation of LACP when the mode Passive is selected under the Enable LACP selection on the LACP tab of the AE Interface.

  Correct Answer: A

• Question 235:

  You have upgraded Panorama to 10.2 and need to upgrade six Log Collectors. When upgrading Log Collectors to 10.2, you must do what?

  A. Upgrade the Log Collectors one at a time.

  B. Add Panorama Administrators to each Managed Collector.

  C. Add a Global Authentication Profile to each Managed Collector.

  D. Upgrade all the Log Collectors at the same time.

  Correct Answer: D

  You must upgrade all Log Collectors in a collector group at the same time to avoid losing log data

  https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-upgrade/upgrade-panorama/deploy-updates-to-firewalls-log-collectors-and-wildfire-appliances-using-panorama/deploy-an-update-to-log-collectors-when-panorama-is-internet-connected

• Question 236:

  Which steps should an engineer take to forward system logs to email?

  A. Create a new email profile under Device > server profiles; then navigate to Objects > Log Forwarding profile > set log type to system and the add email profile.

  B. Enable log forwarding under the email profile in the Objects tab.

  C. Create a new email profile under Device > server profiles: then navigate to Device > Log Settings > System and add the email profile under email.

  D. Enable log forwarding under the email profile in the Device tab.

  Correct Answer: A

• Question 237:

  An engineer has been tasked with reviewing traffic logs to find applications the firewall is unable to identify with App-ID. Why would the application field display as incomplete?

  A. The client sent a TCP segment with the PUSH flag set.

  B. The TCP connection was terminated without identifying any application data.

  C. There is insufficient application data after the TCP connection was established.

  D. The TCP connection did not fully establish.

  Correct Answer: D

  https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClibCAC

  Incomplete in the application field: Incomplete means that either the three-way TCP handshake did not complete OR the three-way TCP handshake did complete but there was no enough data after the handshake to identify the application. In other words that traffic being seen is not really an application. One example is, if a client sends a server a SYN and the Palo Alto Networks device creates a session for that SYN , but the server never sends a SYN ACK back to the client, then that session is incomplete.

• Question 238:

  Which three statements correctly describe Session 380280? (Choose three.)

  

  

  A. The session went through SSL decryption processing.

  B. The session has ended with the end-reason "unknown."

  C. The application has been identified as web-browsing.

  D. The session did not go through SSL decryption processing.

  E. The application was initially identified as "ssl."

  Correct Answer: ACE

• Question 239:

  While analyzing the Traffic log, you see that some entries show "unknown-tcp" in the Application column What best explains these occurrences?

  A. A handshake took place, but no data packets were sent prior to the timeout.

  B. A handshake took place; however, there were not enough packets to identify the application.

  C. A handshake did take place, but the application could not be identified.

  D. A handshake did not take place, and the application could not be identified.

  Correct Answer: C

• Question 240:

  A network engineer has discovered that asymmetric routing is causing a Palo Alto Networks firewall to drop traffic. The network architecture cannot be changed to correct this.

  Which two actions can be taken on the firewall to allow the dropped traffic permanently? (Choose two.)

  A. Navigate to Network > Zone Protection Click Add Select Packet Based Attack Protection > TCP/IP Drop Set "Reject Non-syn-TCP" to No Set "Asymmetric Path" to Bypass

  B. > set session tcp-reject-non-syn no

  C. Navigate to Network > Zone Protection Click Add Select Packet Based Attack Protection > TCP/IP Drop Set "Reject Non-syn-TCP" to Global Set "Asymmetric Path" to Global

  D. # set deviceconfig setting session tcp-reject-non-syn no

  Correct Answer: AD

  Option A is correct because setting "Reject Non-syn-TCP" to No and "Asymmetric Path" to Bypass in the Zone Protection profile disables the TCP checks that can cause the firewall to drop packets due to asymmetric routing. This allows the firewall to accept non-SYN TCP packets without a session match and packets that are out of sequence or out of window.

  Option D is correct because setting session tcp-reject-non-syn to no in the CLI also disables the TCP checks that can cause the firewall to drop packets due to asymmetric routing. This allows the firewall to accept non-SYN TCP packets without a session match and packets that are out of sequence or out of window.

  Option B is incorrect because setting session tcp-reject-non-syn to no in the CLI has the same effect as setting "Reject Non-syn-TCP" to No in the Zone Protection profile, so there is no need to do both. Also, setting "Asymmetric Path" to Global in the Zone Protection profile does not disable the TCP checks that can cause the firewall to drop packets due to asymmetric routing. It only allows the firewall to use a global timer for asymmetric path detection instead of a per-session timer. Option C is incorrect because setting "Reject Non-syn-TCP" to Global and "Asymmetric Path" to Global in the Zone Protection profile does not disable the TCP checks that can cause the firewall to drop packets due to asymmetric routing. It only allows the firewall to use a global timer for both non-SYN TCP rejection and asymmetric path detection instead of a per-session timer.

  References: 1 https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000 ClReCAK 2 https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000 ClSHCA0