Palo Alto Networks PCNSE Online Practice Questions and Exam Preparation

Palo Alto Networks PCNSE Online Questions & Answers

• Question 241:

  What are three valid method of user mapping? (Choose three)

  A. Syslog
  B. XML API
  C. 802.1X
  D. WildFire
  E. Server Monitoring
  A. Syslog
  B. XML API
  E. Server Monitoring

  ---

  Explanation

• Question 242:

  An engineer has been tasked with reviewing traffic logs to find applications the firewall is unable to identify with App-ID. Why would the application field display as incomplete?

  A. The client sent a TCP segment with the PUSH flag set.
  B. The TCP connection was terminated without identifying any application data.
  C. There is insufficient application data after the TCP connection was established.
  D. The TCP connection did not fully establish.
  D. The TCP connection did not fully establish.

  ---

  Explanation

  https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClibCAC

  Incomplete in the application field: Incomplete means that either the three-way TCP handshake did not complete OR the three-way TCP handshake did complete but there was no enough data after the handshake to identify the application. In other words that traffic being seen is not really an application. One example is, if a client sends a server a SYN and the Palo Alto Networks device creates a session for that SYN , but the server never sends a SYN ACK back to the client, then that session is incomplete.

• Question 243:

  An engineer troubleshoots a high availability (HA) link that is unreliable.

  Where can the engineer view what time the interface went down?

  A. Monitor > Logs > Traffic
  B. Device > High Availability > Active/Passive Settings
  C. Monitor > Logs > System
  D. Dashboard > Widgets > High Availability
  C. Monitor > Logs > System

  ---

  Explanation

  https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000oNlUCAUandlang=en_US

• Question 244:

  An administrator is assisting a security engineering team with a decryption rollout for inbound and forward proxy traffic. Incorrect firewall sizing is preventing the team from decrypting all of the traffic they want to decrypt.

  Which three items should be prioritized for decryption? (Choose three.)

  A. Financial, health, and government traffic categories
  B. Less-trusted internal IP subnets
  C. Known malicious IP space
  D. High-risk traffic categories
  E. Public-facing servers
  B. Less-trusted internal IP subnets
  D. High-risk traffic categories
  E. Public-facing servers

  ---

  Explanation

• Question 245:

  A network administrator is troubleshooting an issue with Phase 2 of an IPSec VPN tunnel. The administrator determines that the lifetime needs to be changed to match the peer. Where should this change be made?

  A. IKE Gateway profile
  B. IPSec Crypto profile
  C. IPSec Tunnel settings
  D. IKE Crypto profile
  B. IPSec Crypto profile

  ---

  Explanation

  The **IKE crypto profile** is used to set up the encryption and authentication algorithms used for the key exchange process in IKE Phase 1, and lifetime of the keys, which specifies how long the keys are valid. To invoke the profile, you must attach it to the IKE Gateway configuration.

  The **IPSec crypto profile** is invoked in IKE Phase 2. It specifies how the data is secured within the tunnel when Auto Key IKE is used to automatically generate keys for the IKE SAs.

• Question 246:

  Which three function are found on the dataplane of a PA-5050? (Choose three)

  A. Protocol Decoder
  B. Dynamic routing
  C. Management
  D. Network Processing
  E. Signature Match
  B. Dynamic routing
  D. Network Processing
  E. Signature Match

  ---

  Explanation

• Question 247:

  An administrator is informed that the engineer who previously managed all the VPNs has left the company. According to company policies the administrator must update all the IPSec VPNs with new pre-shared keys Where are the pre-shared keys located on the firewall?

  A. Network/lPSec Tunnels
  B. Network/Network Profiles/IKE Gateways
  C. Network/Network ProfilesTlPSec Crypto
  D. Network/Network Profiles/IKE Crypto
  B. Network/Network Profiles/IKE Gateways

  ---

  Explanation

• Question 248:

  A security engineer needs firewall management access on a Inside interface.

  When three settings are required on an SSI/TVS Service Profile to provide secure Wet) Ui authentication? (Choose three.)

  A. Maximum TLS version
  B. Minimum TLS version
  C. Encryption Algorithm
  D. Certificate
  E. Authentication Algorithm
  A. Maximum TLS version
  B. Minimum TLS version
  D. Certificate

  ---

  Explanation

  https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/certificate-management/configure-an-ssltls-service-profile

• Question 249:

  Review the images. A firewall policy that permits web traffic includes the global-logs policy as depicted.

  

  

  What is the result of traffic that matches the "Alert -Threats" Profile Match List?

  A. The source address of SMTP traffic that matches a threat is automatically blocked as BadGuys for 180 minutes.
  B. The source address of traffic that matches a threat is automatically blocked as BadGuys for 180 minutes.
  C. The source address of traffic that matches a threat is automatically tagged as BadGuys for 180 minutes.
  D. The source address of SMTP traffic that matches a threat is automatically tagged as BadGuys for 180 minutes.
  C. The source address of traffic that matches a threat is automatically tagged as BadGuys for 180 minutes.

  ---

  Explanation

• Question 250:

  As a best practice, logging at session start should be used in which case?

  A. On all Allow rules
  B. While troubleshooting
  C. Only when log at session end is enabled
  D. Only on Deny rules
  B. While troubleshooting

  ---

  Explanation

  Logging at session start should be used as a best practice while troubleshooting. Logging at session start allows the administrator to see the logs for sessions that are initiated but not completed, such as sessions that are dropped or blocked by the firewall. This can help the administrator to identify and resolve issues with network connectivity or firewall configuration. Logging at session start should not be used for normal operations because it generates more logs and consumes more resources on the firewall. Option A is incorrect because logging at session start should not be used on all Allow rules. Logging at session end is sufficient for Allow rules because it provides information about the completed sessions, such as bytes and packets transferred, application, user, and threat information. Option C is incorrect because logging at session start can be used independently of logging at session end. Logging at session start and logging at session end are not mutually exclusive options. Option D is incorrect because logging at session start should not be used only on Deny rules. Logging at session end is sufficient for Deny rules because it provides information about the denied sessions, such as source and destination IP addresses, ports, and protocol.