Palo Alto Networks Palo Alto Networks Certifications PCNSE Questions & Answers

• Question 241:

  An administrator discovers that a file blocked by the WildFire inline ML feature on the firewall is a false-positive action. How can the administrator create an exception for this particular file?

  A. Add partial hash and filename in the file section of the WildFire inline ML tab of the Antivirus profile.

  B. Set the WildFire inline ML action to allow for that protocol on the Antivirus profile.

  C. Add the related Threat ID in the Signature exceptions tab of the Antivirus profile.

  D. Disable the WildFire profile on the related Security policy.

  Correct Answer: A

• Question 242:

  An engineer is tasked with enabling SSL decryption across the environment. What are three valid parameters of an SSL Decryption policy? (Choose three.)

  A. URL categories

  B. source users

  C. source and destination IP addresses

  D. App-ID

  E. GlobalProtect HIP

  Correct Answer: ABC

• Question 243:

  What is a correct statement regarding administrative authentication using external services with a local authorization method?

  A. Prior to PAN-OS 10.2. an administrator used the firewall to manage role assignments, but access domains have not been supported by this method.

  B. Starting with PAN-OS 10.2. an administrator needs to configure Cloud Identity Engine to use external authentication services for administrative authentication.

  C. The administrative accounts you define locally on the firewall serve as references to the accounts defined on an external authentication server.

  D. The administrative accounts you define on an external authentication server serve as references to the accounts defined locally on the firewall.

  Correct Answer: C

  The administrative accounts you define locally on the firewall serve as references to the accounts defined on an external Multi-Factor Authentication, SAML, Kerberos, TACACS+, RADIUS, or LDAP server. https://docs.paloaltonetworks.com/ pan-os/9-1/pan-os-admin/firewall-administration/manage-firewall-administrators/administrative-authentication

• Question 244:

  A client wants to detect the use of weak and manufacturer-default passwords for loT devices. Which option will help the customer?

  A. Configure a Data Filtering profile with alert mode.

  B. Configure an Antivirus profile with alert mode.

  C. Configure a Vulnerability Protection profile with alert mode

  D. Configure an Anti-Spyware profile with alert mode.

  Correct Answer: C

• Question 245:

  A firewall administrator has been tasked with ensuring that all Panorama-managed firewalls forward traffic logs to Panorama. In which section is this configured?

  A. Panorama > Managed Devices

  B. Monitor > Logs > Traffic

  C. Device Groups > Objects > Log Forwarding

  D. Templates > Device > Log Settings

  Correct Answer: C

• Question 246:

  Refer to the diagram. Users at an internal system want to ssh to the SSH server The server is configured to respond only to the ssh requests coming from IP 172.16.16.1.

  In order to reach the SSH server only from the Trust zone, which Security rule and NAT rule must be configured on the firewall?

  

  A. NAT Rule: Source Zone: Trust Source IP: Any Destination Zone: Server Destination IP: 172.16.15.10 Source Translation: Static IP / 172.16.15.1 Security Rule: Source Zone: Trust Source IP: Any Destination Zone: Trust Destination IP: 172.16.15.10 Application: ssh

  B. NAT Rule: Source Zone: Trust Source IP: 192.168.15.0/24 Destination Zone: Trust Destination IP: 192.168.15.1 Destination Translation: Static IP / 172.16.15.10 Security Rule: Source Zone: Trust Source IP: 192.168.15.0/24 Destination Zone: Server Destination IP: 172.16.15.10 Application: ssh

  C. NAT Rule: Source Zone: Trust

  Source IP: Any

  Destination Zone: Trust

  Destination IP: 192.168.15.1

  Destination Translation: Static IP /172.16.15.10

  Security Rule:

  Source Zone: Trust

  Source IP: Any

  Destination Zone: Server

  Destination IP: 172.16.15.10

  Application: ssh

  D. NAT Rule: Source Zone: Trust Source IP: Any Destination Zone: Server Destination IP: 172.16.15.10 Source Translation: dynamic-ip-and-port / ethernet1/4 Security Rule: Source Zone: Trust Source IP: Any Destination Zone: Server Destination IP: 172.16.15.10 Application: ssh

  Correct Answer: D

• Question 247:

  An engineer is configuring SSL Inbound Inspection for public access to a company's application. Which certificate(s) need to be installed on the firewall to ensure that inspection is performed successfully?

  A. Self-signed CA and End-entity certificate

  B. Root CA and Intermediate CA(s)

  C. Self-signed certificate with exportable private key

  D. Intermediate CA (s) and End-entity certificate

  Correct Answer: D

• Question 248:

  Which Panorama feature protects logs against data loss if a Panorama server fails?

  A. Panorama HA automatically ensures that no logs are lost if a server fails inside the HA Cluster.

  B. Panorama Collector Group with Log Redundancy ensures that no logs are lost if a server fails inside the Collector Group.

  C. Panorama HA with Log Redundancy ensures that no logs are lost if a server fails inside the HA Cluster.

  D. Panorama Collector Group automatically ensures that no logs are lost if a server fails inside the Collector Group

  Correct Answer: B

  "Log redundancy is available only if each Log Collector has the same number of logging disks." (Recommended) Enable log redundancy across collectors if you are adding multiple Log Collectors to a single Collector group. Redundancy ensures that no logs are lost if any one Log Collector becomes unavailable. Each log will have two copies and each copy will reside on a different Log Collector. For example, if you have two Log Collectors in the collector group the log is written to both Log Collectors. Enabling redundancy creates more logs and therefore requires more storage capacity, reducing storage capability in half. When a Collector Group runs out of space, it deletes older logs. Redundancy also doubles the log processing traffic in a Collector Group, which reduces its maximum logging rate by half, as each Log Collector must distribute a copy of each log it receives.

  https://docs.paloaltonetworks.com/panorama/11-0/panorama-admin/manage-log-collection/manage-collector-groups/configure-a-collector-group

• Question 249:

  An administrator is seeing one of the firewalls in a HA active/passive pair moved to 'suspended" state due to Non-functional loop. Which three actions will help the administrator troubleshool this issue? (Choose three.)

  A. Use the CLI command show high-availability flap-statistics

  B. Check the HA Link Monitoring interface cables.

  C. Check the High Availability > Link and Path Monitoring settings.

  D. Check High Availability > Active/Passive Settings > Passive Link State

  E. Check the High Availability > HA Communications > Packet Forwarding settings.

  Correct Answer: ABC

• Question 250:

  Which profile generates a packet threat type found in threat logs?

  A. Zone Protection

  B. WildFire

  C. Anti-Spyware

  D. Antivirus

  Correct Answer: A

  https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/monitoring/use-syslog-for-monitoring/syslog-field-descriptions/threat-log-fields packet--Packet-based attack protection triggered by a Zone Protection profile.