Palo Alto Networks PCNSE Online Practice Questions and Exam Preparation

Palo Alto Networks PCNSE Online Questions & Answers

• Question 261:

  Which of the following commands would you use to check the total number of the sessions that are currently going through SSL Decryption processing?

  A. show session all ssI-decrypt yes count yes
  B. show session filter ssl-decryption yes total-count yes
  C. show session all filter ssl-decrypt yes count yes
  D. show session all filter ssl-decryption yes total-count yes
  C. show session all filter ssl-decrypt yes count yes

  ---

  Explanation

• Question 262:

  Review the screenshots and consider the following information:

  1.FW-1 is assigned to the FW-1_DG device group and FW-2 is assigned to OFFICE_FW_DG

  2.There are no objects configured in REGIONAL_DG and OFFICE_FW_DG device groups Which IP address will be pushed to the firewalls inside Address Object Server-1?

  

  A. Server-1 on FW-1 will have IP 2.2.2.2 Server-1 will not be pushed to FW-2
  B. Server-1 on FW-1 will have IP 3.3.3.3 Server-1 will not be pushed to FW-2
  C. Server-1 on FW-1 will have IP 1.1.1.1 Server-1 will not be pushed to FW-2
  D. Server-1 on FW-1 will have IP 4.4.4.4 Server-1 on FW-2 will have IP 1.1.1.1
  D. Server-1 on FW-1 will have IP 4.4.4.4 Server-1 on FW-2 will have IP 1.1.1.1

  ---

  Explanation

• Question 263:

  Which feature checks Panorama connectivity status after a commit?

  A. Automated commit recovery
  B. Scheduled config export
  C. Device monitoring data under Panorama settings
  D. HTTP Server profiles
  A. Automated commit recovery

  ---

  Explanation

• Question 264:

  A network security engineer is asked to provide a report on bandwidth usage. Which tab in the ACC provides the information needed to create the report?

  A. Blocked Activity
  B. Bandwidth Activity
  C. Threat Activity
  D. Network Activity
  D. Network Activity

  ---

  Explanation

• Question 265:

  A firewall engineer creates a new App-ID report under Monitor > Reports > Application Reports > New Application to monitor new applications on the network and better assess any Security policy updates the engineer might want to make.

  How does the firewall identify the New App-ID characteristic?

  A. It matches to the New App-IDs downloaded in the last 30 days.
  B. It matches to the New App-IDs downloaded in the last 90 days
  C. It matches to the New App-IDs installed since the last time the firewall was rebooted
  D. It matches to the New App-IDs in the most recently installed content releases.
  D. It matches to the New App-IDs in the most recently installed content releases.

  ---

  Explanation

  When creating a new App-ID report under Monitor > Reports > Application Reports > New Application, the firewall identifies new applications based on the New App-IDs in the most recently installed content releases. The New App-IDs are the application signatures that have been added in the latest content release, which can be found under Objects > Security Profiles > Application. This allows the engineer to monitor any new applications that have been added to the firewall's database and evaluate whether to allow or block them with a Security policy update.

• Question 266:

  What can you use with Global Protect to assign user-specific client certificates to each GlobalProtect user?

  A. SSL/TLS Service profile
  B. Certificate profile
  C. SCEP
  D. OCSP Responder
  C. SCEP

  ---

  Explanation

• Question 267:

  An administrator needs to evaluate a recent policy change that was committed and pushed to a firewall device group. How should the administrator identify the configuration changes?

  A. review the configuration logs on the Monitor tab
  B. click Preview Changes under Push Scope
  C. use Test Policy Match to review the policies in Panorama
  D. context-switch to the affected firewall and use the configuration audit tool
  A. review the configuration logs on the Monitor tab

  ---

  Explanation

  When an administrator needs to evaluate recent policy changes that were committed and pushed to a firewall device group in Panorama, the most direct approach is to use the "Preview Changes" feature.

  Click Preview Changes under Push Scope:

  The "Preview Changes" option is available under the "Push Scope" in Panorama. This feature allows administrators to see a detailed comparison of the changes that are about to be pushed to the managed firewalls or that have been recently

  pushed. It highlights the differences between the current configuration and the previous one, making it easier to identify exactly what changes were made, including modifications to policies, objects, and other settings.

  This is particularly useful for auditing and verifying that the intended changes match the actual changes being deployed, enhancing transparency and reducing the risk of unintended configuration modifications.

  This approach provides a clear and concise way to review configuration changes before and after they are applied, ensuring that policy modifications are intentional and accurately reflect the administrator's objectives.

  https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-web-interface-help/panorama-web-interface/panorama-commit-operations.html

• Question 268:

  An administrator has a Palo Alto Networks NGFW. All security subscriptions and decryption are enabled and the system is running close to its resource limits. Knowing that using decryption can be resource-intensive, how can the administrator reduce the load on the firewall?

  A. Use SSL Forward Proxy instead of SSL Inbound Inspection for decryption.
  B. Use RSA instead of ECDSA for traffic that isn't sensitive or high-priority.
  C. Use the highest TLS protocol version to maximize security.
  D. Use ECDSA instead of RSA for traffic that isn't sensitive or high-priority.
  B. Use RSA instead of ECDSA for traffic that isn't sensitive or high-priority.

  ---

  Explanation

  SSL Forward Proxy and SSL Inbound Inspection do two different jobs, and the way the question is phrased they could both be on.

• Question 269:

  An administrator has been tasked with deploying SSL Forward Proxy. Which two types of certificates are used to decrypt the traffic? (Choose two.)

  A. Device certificate
  B. Subordinate CA from the administrator's own PKI infrastructure
  C. Self-signed root CA
  D. External CA certificate
  B. Subordinate CA from the administrator's own PKI infrastructure
  C. Self-signed root CA

  ---

  Explanation

• Question 270:

  An engineer creates a set of rules in a Device Group (Panorama) to permit traffic to various services for a specific LDAP user group.

  What needs to be configured to ensure Panorama can retrieve user and group information for use in these rules?

  A. A service route to the LDAP server
  B. A Master Device
  C. Authentication Portal
  D. A User-ID agent on the LDAP server
  B. A Master Device

  ---

  Explanation

  https://live.paloaltonetworks.com/t5/general-topics/what-is-a-master-device-in-device-groups/td-p/15032