Palo Alto Networks Palo Alto Networks Certifications PCNSE Questions & Answers

• Question 261:

  Which log type would provide information about traffic blocked by a Zone Protection profile?

  A. Data Filtering

  B. IP-Tag

  C. Traffic

  D. Threat

  Correct Answer: D

  https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Clm9CAC Zone Protection profile is a set of security policies that you can apply to an interface or zone to protect it from reconnaissance, flooding, brute force, and other types of attacks. The log type that would provide information about traffic blocked by a Zone Protection profile is Threat4. This log type records events such as packet-based attacks, spyware, viruses, vulnerability exploits, and URL filtering.

• Question 262:

  View the screenshots. A QoS profile and policy rules are configured as shown. Based on this information, which two statements are correct? (Choose two.)

  

  A. DNS has a higher priority and more bandwidth than SSH.

  B. Google-video has a higher priority and more bandwidth than WebEx.

  C. SMTP has a higher priority but lower bandwidth than Zoom.

  D. Facetime has a higher priority but lower bandwidth than Zoom.

  Correct Answer: AD

• Question 263:

  A company with already deployed Palo Alto firewalls has purchased their first Panorama server. The security team has already configured all firewalls with the Panorama IP address and added all the firewall serial numbers in Panorama. What are the next steps to migrate configuration from the firewalls to Panorama?

  A. Use API calls to retrieve the configuration directly from the managed devices

  B. Export Named Configuration Snapshot on each firewall followed by Import Named Configuration Snapshot in Panorama

  C. import Device Configuration to Panorama followed by Export or Push Device Config Bundle

  D. Use the Firewall Migration plugin to retrieve the configuration directly from the managed devices

  Correct Answer: C

• Question 264:

  During the implementation of SSL Forward Proxy decryption, an administrator imports the company's Enterprise Root CA and Intermediate CA certificates onto the firewall. The company's Root and Intermediate CA certificates are also distributed to trusted devices using Group Policy and GlobalProtect. Additional device certificates and/or Subordinate certificates requiring an Enterprise CA chain of trust are signed by the company's Intermediate CA.

  Which method should the administrator use when creating Forward Trust and Forward Untrust certificates on the firewall for use with decryption?

  A. Generate a single subordinate CA certificate for both Forward Trust and Forward Untrust.

  B. Generate a CA certificate for Forward Trust and a self-signed CA for Forward Untrust.

  C. Generate a single self-signed CA certificate for Forward Trust and another for Forward Untrust

  D. Generate two subordinate CA certificates, one for Forward Trust and one for Forward Untrust.

  Correct Answer: B

  https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/decryption/configure-ssl-forward-proxy

• Question 265:

  A firewall administrator has been tasked with ensuring that all Panorama configuration is committed and pushed to the devices at the end of the day at a certain time. How can they achieve this?

  A. Use the Scheduled Config Export to schedule Commit to Panorama and also Push to Devices.

  B. Use the Scheduled Config Push to schedule Push lo Devices and separately schedule an API call to commit all Panorama changes.

  C. Use the Scheduled Config Export to schedule Push to Devices and separately schedule an API call to commit all Panorama changes.

  D. Use the Scheduled Config Push to schedule Commit to Panorama and also Push to Devices.

  Correct Answer: D

• Question 266:

  A company requires that a specific set of ciphers be used when remotely managing their Palo Alto Networks appliances. Which profile should be configured in order to achieve this?

  A. SSH Service profile

  B. SSL/TLS Service profile

  C. Decryption profile

  D. Certificate profile

  Correct Answer: A

  SSL/TLS profile is only the TLS versions, not ciphers. Decryption Profile is for SSL Inbound and Forward Proxy applications, not mgmt of the PANW Firewall. There's also KB articles to strengthen SSH, but I couldn't find any for HTTPS, on the mgmt interface

• Question 267:

  Which statement about High Availability timer settings is true?

  A. Use the Moderate timer for typical failover timer settings.

  B. Use the Critical timer for taster failover timer settings.

  C. Use the Recommended timer tor faster failover timer settings.

  D. Use the Aggressive timer for taster failover timer settings

  Correct Answer: D

• Question 268:

  Refer to the exhibit.

  

  Based on the screenshots above what is the correct order in which the various rules are deployed to firewalls inside the DATACENTER_DG device group?

  A. shared pre-rules DATACENTER DG pre rules rules configured locally on the firewall shared post-rules DATACENTER_DG post-rules DATACENTER.DG default rules

  B. shared pre-rules DATACENTER_DG pre-rules rules configured locally on the firewall shared post-rules DATACENTER.DG post-rules shared default rules

  C. shared pre-rules DATACENTER_DG pre-rules rules configured locally on the firewall DATACENTER_DG post-rules shared post-rules shared default rules

  D. shared pre-rules DATACENTER_DG pre-rules rules configured locally on the firewall DATACENTER_DG post-rules shared post-rules DATACENTER_DG default rules

  Correct Answer: D

• Question 269:

  An engineer wants to configure aggregate interfaces to increase bandwidth and redundancy between the firewall and switch. Which statement is correct about the configuration of the interfaces assigned to an aggregate interface group?

  A. They can have a different bandwidth.

  B. They can have a different interface type such as Layer 3 or Layer 2.

  C. They can have a different interface type from an aggregate interface group.

  D. They can have different hardware media such as the ability to mix fiber optic and copper.

  Correct Answer: D

  https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/networking/configure-interfaces/configure-an-aggregate-interface-group

• Question 270:

  Which three firewall multi-factor authentication factors are supported by PAN-OS? (Choose three)

  A. SSH key

  B. User logon

  C. Short message service

  D. One-Time Password

  E. Push

  Correct Answer: CDE

  https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/authentication/authentication-types/multi-factor-authentication