Palo Alto Networks PCNSE Online Practice Questions and Exam Preparation

Palo Alto Networks PCNSE Online Questions & Answers

• Question 251:

  The firewall is not downloading IP addresses from MineMeld. Based, on the image, what most likely is wrong?

  

  A. A Certificate Profile that contains the client certificate needs to be selected.
  B. The source address supports only files hosted with an ftp://.
  C. External Dynamic Lists do not support SSL connections.
  D. A Certificate Profile that contains the CA certificate needs to be selected.
  D. A Certificate Profile that contains the CA certificate needs to be selected.

  ---

  Explanation

  "If the list source is secured with SSL (i.e. lists with an HTTPS URL), enable server authentication. Select a Certificate Profile or create a New Certificate Profile for authenticating the server that hosts the list. The certificate profile you select must have root certificate authority (CA) and intermediate CA certificates that match the certificates installed on the server you are authenticating."

• Question 252:

  An internal system is not functioning. The firewall administrator has determined that the incorrect egress interface is being used. After looking at the configuration, the administrator believes that the firewall is not using a static route. What are two reasons why the firewall might not use a static route? (Choose two.)

  A. no install on the route
  B. duplicate static route
  C. path monitoring on the static route
  D. disabling of the static route
  A. no install on the route
  C. path monitoring on the static route

  ---

  Explanation

  https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-admin/networking/static-routes/static-route-removal-based-on-path-monitoring.html

  https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-admin/networking/static-routes/configure-a-static-route.html

• Question 253:

  When you configure a Layer 3 interface what is one mandatory step?

  A. Configure Security profiles, which need to be attached to each Layer 3 interface
  B. Configure Interface Management profiles which need to be attached to each Layer 3 interface
  C. Configure virtual routers to route the traffic for each Layer 3 interface
  D. Configure service routes to route the traffic for each Layer 3 interface
  C. Configure virtual routers to route the traffic for each Layer 3 interface

  ---

  Explanation

  In a Layer 3 deployment, the firewall routes traffic between multiple ports. Before you can Configure Layer 3 Interfaces, you must configure the Virtual Routers that you want the firewall to use to route the traffic for each Layer 3 interface.

  https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-admin/networking/configure-interfaces/layer-3-interfaces.html

• Question 254:

  Which item enables a firewall administrator to see details about traffic that is currently active through the NGFW?

  A. ACC
  B. System Logs
  C. App Scope
  D. Session Browser
  D. Session Browser

  ---

  Explanation

• Question 255:

  Which action disables Zero Touch Provisioning (ZTP) functionality on a ZTP firewall during the onboarding process?

  A. performing a local firewall commit
  B. removing the firewall as a managed device in Panorama
  C. performing a factory reset of the firewall
  D. removing the Panorama serial number from the ZTP service
  A. performing a local firewall commit

  ---

  Explanation

  https://docs.paloaltonetworks.com/panorama/10-0/panorama-admin/manage-firewalls/set-up-zero-touch-provisioning/add-ztp-firewalls-to-panorama/add-a-ztp-firewall-to-panorama.html#id182211ac-a31c-4122-a11f-19450ec9ca4e

• Question 256:

  An administrator is using Panorama and multiple Palo Alto Networks NGFWs. After upgrading all devices to the latest PAN-OS?software, the administrator enables log forwarding from the firewalls to PanoramA. Pre-existing logs from the firewalls are not appearing in PanoramA.

  Which action would enable the firewalls to send their pre-existing logs to Panorama?

  A. Use the import option to pull logs.
  B. Export the log database
  C. Use the scp logdb export command
  D. Use the ACC to consolidate the logs
  B. Export the log database

  ---

  Explanation

  https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-cli-quick-start/use-the-cli/use-secure-copy-to-import-and-export-files/export-and-import-a-complete-log-database-logdb

• Question 257:

  The UDP-4501 protocol-port is to between which two GlobalProtect components?

  A. GlobalProtect app and GiobalProtect satellite
  B. GlobalRrotect app and GlobalProtect gateway
  C. GlobalProtect portal and GlobalProtect gateway
  D. GlobalProtect app and GlobalProtect portal
  B. GlobalRrotect app and GlobalProtect gateway

  ---

  Explanation

• Question 258:

  A customer wants to deploy User-ID on a Palo Alto Networks NGFW with multiple vsys. One of the vsys will support a GlobalProtect portal and gateway. The customer uses Windows Active Directory for authentication.

  What is the most operationally efficient way to redistribute the most accurate IP addresses to username mappings?

  A. Deploy a PAN-OS integrated User-ID agent on each vsys
  B. Deploy the GlobalProtect vsys as a User-ID data hub
  C. Deploy a M-200 as a User-ID collector
  D. Deploy Windows User-ID agents on each domain controller
  B. Deploy the GlobalProtect vsys as a User-ID data hub

  ---

  Explanation

  https://docs.paloaltonetworks.com/pan-os/11-0/pan-os-admin/user-id/deploy-user-id-in-a-large-scale-network/share-user-id-mappings-across-vsys

• Question 259:

  Which source is the most reliable for collecting User-ID user mapping?

  A. GlobalProtect
  B. Microsoft Active Directory
  C. Microsoft Exchange
  D. Syslog Listener
  A. GlobalProtect

  ---

  Explanation

  User-ID is a feature that enables you to identify and control users on your network based on their usernames instead of their IP addresses. User mapping is the process of mapping IP addresses to usernames using various sources of information. The most reliable source for collecting User-ID user mapping is GlobalProtect. GlobalProtect is a solution that provides secure access to your network and resources from anywhere. GlobalProtect agents on endpoints send user mapping information directly to the firewall or Panorama, which eliminates the need for probing other sources. GlobalProtect also supports dynamic IP address changes and roaming users.

• Question 260:

  A Palo Alto Networks NGFW just submitted a file to WildFire for analysis. Assume a 5-minute window for analysis. The firewall is configured to check for verdicts every 5 minutes.

  How quickly will the firewall receive back a verdict?

  A. More than 15 minutes
  B. 5 minutes
  C. 10 to 15 minutes
  D. 5 to 10 minutes
  D. 5 to 10 minutes

  ---

  Explanation

  "As new WildFire signatures are available every five minutes, this setting ensures the firewall retrieves these signatures within a minute of availability." Meaning if the WildFire checks for verdict at 06:00 PM it would next check at 06:05, however if you submit a file at 06:06 -WildFire would check at 06:10 but your verdict will come at 06:11, which would be fetched by WildFire at 06:15 -hence 9 minutes since you submitted. So 5 to 10 mins depending on your time of submission.