Palo Alto Networks PCNSE Online Practice Questions and Exam Preparation

Palo Alto Networks PCNSE Online Questions & Answers

• Question 271:

  Why are external zones required to be configured on a Palo Alto Networks NGFW in an environment with multiple virtual systems?

  A. To allow traffic between zones in different virtual systems while the traffic is leaving the appliance
  B. External zones are required because the same external zone can be used on different virtual systems
  C. To allow traffic between zones in different virtual systems without the traffic leaving the appliance
  D. Multiple external zones are required in each virtual system to allow the communications between virtual systems
  C. To allow traffic between zones in different virtual systems without the traffic leaving the appliance

  ---

  Explanation

• Question 272:

  Company.com has an in-house application that the Palo Alto Networks device doesn't identify correctly. A Threat Management Team member has mentioned that this in-house application is very sensitive and all traffic being identified needs to be inspected by the Content-ID engine.

  Which method should company.com use to immediately address this traffic on a Palo Alto Networks device?

  A. Create a custom Application without signatures, then create an Application Override policy that includes the source, Destination, Destination Port/Protocol and Custom Application of the traffic.
  B. Wait until an official Application signature is provided from Palo Alto Networks.
  C. Modify the session timer settings on the closest referanced application to meet the needs of the in-house application
  D. Create a Custom Application with signatures matching unique identifiers of the in-house application traffic
  D. Create a Custom Application with signatures matching unique identifiers of the in-house application traffic

  ---

  Explanation

• Question 273:

  Which rule type controls end user SSL traffic to external websites?

  A. SSL Outbound Proxyless Inspection
  B. SSL Forward Proxy
  C. SSL Inbound Inspection
  D. SSH Proxy
  B. SSL Forward Proxy

  ---

  Explanation

  The SSL Forward Proxy rule type is designed to control and inspect SSL traffic from internal users to external websites. When an internal user attempts to access an HTTPS site, the Palo Alto Networks firewall, acting as an SSL Forward Proxy, intercepts the SSL request. It then establishes an SSL connection with the requested website on behalf of the user. Simultaneously, the firewall establishes a separate SSL connection with the user. This setup allows the firewall to decrypt and inspect the traffic for threats and compliance with security policies before re-encrypting and forwarding the traffic to its destination.

  This process is transparent to the end user and ensures that potentially harmful content delivered over encrypted SSL connections can be identified and blocked. SSL Forward Proxy is a critical component of a comprehensive security strategy, allowing organizations to enforce security policies and protect against threats in encrypted traffic.

• Question 274:

  An administrator plans to install the Windows User-ID agent on a domain member system.

  What is a best practice for choosing where to install the User-ID agent?

  A. On the same RODC that is used for credential detection
  B. In close proximity to the firewall it will be providing User-ID to
  C. In close proximity to the servers it will be monitoring
  D. On the DC holding the Schema Master FSMO role
  C. In close proximity to the servers it will be monitoring

  ---

  Explanation

• Question 275:

  An administrator is considering deploying WildFire globally.

  What should the administrator consider with regards to the WildFire infrastructure?

  A. To comply with data privacy regulations, WildFire signatures and verdicts are not shared globally.
  B. Palo Alto Networks owns and maintains one global cloud and four WildFire regional clouds.
  C. Each WildFire cloud analyzes samples independently of the other WildFire clouds.
  D. The WildFire Global Cloud only provides bare metal analysis.
  C. Each WildFire cloud analyzes samples independently of the other WildFire clouds.

  ---

  Explanation

  Each WildFire cloud-global and regional-analyzes samples and generates malware signatures and verdicts independently of the other WildFire clouds. WildFire signatures and verdicts are then shared globally, enabling WildFire users worldwide to benefit from malware coverage regardless of the location in which the malware was first detected.

• Question 276:

  Which two events trigger the operation of automatic commit recovery? (Choose two.)

  A. when an aggregate Ethernet interface component fails
  B. when Panorama pushes a configuration
  C. when a firewall HA pair fails over
  D. when a firewall performs a local commit
  B. when Panorama pushes a configuration
  D. when a firewall performs a local commit

  ---

  Explanation

  https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-new-features/panorama-features/automatic-panorama-connection-recovery.html

  Automatic commit recovery allows you to configure the firewall to attempt a specified number of connectivity tests after:

  1-you push a configuration from Panorama or

  2-commit a configuration change locally on the firewall.

  Additionally, the firewall checks connectivity to Panorama every hour to ensure consistent communication in the event unrelated network configuration changes have disrupted connectivity between the firewall and Panorama or if implications to a pushed committed configuration may have affected connectivity.

• Question 277:

  A customer wants to set up a site-to-site VPN using tunnel interfaces. What format is the correct naming convention for tunnel interfaces?

  A. tun.1025
  B. tunnel.50
  C. vpn.1024
  D. gre1/2
  B. tunnel.50

  ---

  Explanation

• Question 278:

  A customer is replacing their legacy remote access VPN solution The current solution is in place to secure only internet egress for the connected clients Prisma Access has been selected to replace the current remote access VPN solution During onboarding the following options and licenses were selected and enabled

  1.Prisma Access for Remote Networks 300Mbps

  2.Prisma Access for Mobile Users 1500 Users

  3.Cortex Data Lake 2TB

  4.Trusted Zones trust

  5.Untrusted Zones untrust

  6.Parent Device Group shared

  How can you configure Prisma Access to provide the same level of access as the current VPN solution?

  A. Configure mobile users with trust-to-untrust Security policy rules to allow the desired traffic outbound to the internet
  B. Configure mobile users with a service connection and trust-to-trust Security policy rules to allow the desired traffic outbound to the internet
  C. Configure remote networks with a service connection and trust-to-untrust Security policy rules to allow the desired traffic outbound to the internet
  D. Configure remote networks with trust-to-trust Security policy rules to allow the desired traffic outbound to the internet
  A. Configure mobile users with trust-to-untrust Security policy rules to allow the desired traffic outbound to the internet

  ---

  Explanation

  To provide the same level of access as the current VPN solution, which is to secure only Internet egress for the connected clients, you can configure mobile users with trust-to-untrust Security policy rules to allow the desired traffic outbound to the Internet. This way, the mobile users will be assigned an IP address from a pool that belongs to the trust zone, and they will be able to access the Internet through Prisma Access using a gateway that belongs to the untrust zone. You do not need to configure a service connection for this scenario, as a service connection is used to enable access between mobile users and remote networks or private apps. You also do not need to configure trust-to-trust Security policy rules, as they are used to enable access between mobile users and other trusted resources.

  References: https://docs.paloaltonetworks.com/prisma/prisma-access/prisma-access-panorama-admin/prepare-the-prisma-access-infrastructure/service-connection-overview/create-a-service-connection-to-enable-access-between-users-and-networks https://docs.paloaltonetworks.com/prisma/prisma-access/prisma-access-cloud-managed-admin/prisma-access-service-connections https://docs.paloaltonetworks.com/prisma/prisma-access/prisma-access-cloud-managed-admin/prisma-access-mobile-users/mobile-users-globalprotect/globalprotect-features-for-prisma-access.html

• Question 279:

  Which two features does PAN-OS software use to identify applications? (Choose two)

  A. port number
  B. session number
  C. transaction characteristics
  D. application layer payload
  C. transaction characteristics
  D. application layer payload

  ---

  Explanation

  The Palo Alto Networks firewall does not classify traffic by port and protocol; instead it identifies the application based on its unique properties and transaction characteristics using the App-ID technology. Some applications, however, require the firewall to dynamically open pinholes to establish the connection, determine the parameters for the session and negotiate the ports that will be used for the transfer of data; these applications use the application-layer payload to communicate the dynamic TCP or UDP ports on which the application opens data connections. For such applications, the firewall serves as an Application Level Gateway (ALG), and it opens a pinhole for a limited time and for exclusively transferring data or control traffic. The firewall also performs a NAT rewrite of the payload when necessary.

• Question 280:

  After implementing a new NGFW, a firewall engineer sees a VoIP traffic issue going through the firewall After troubleshooting the engineer finds that the firewall performs NAT on the voice packets payload and opens dynamic pinholes for media ports

  What can the engineer do to solve the VoIP traffic issue?

  A. Disable ALG under H.323 application
  B. Increase the TCP timeout under H.323 application
  C. Increase the TCP timeout under SIP application
  D. Disable ALG under SIP application
  D. Disable ALG under SIP application

  ---

  Explanation

  According to the Palo Alto Networks documentation1, application-level gateway (ALG) is a feature that allows the firewall to inspect and modify the payload of some protocols, such as SIP, to enable NAT traversal and firewall policy enforcement. However, ALG can also cause issues with some VoIP implementations, such as modifying the SIP headers incorrectly or opening unnecessary pinholes for media ports. Therefore, disabling ALG under SIP application can help solve the VoIP traffic issue by preventing the firewall from altering the voice packets payload and opening dynamic pinholes2. Therefore, the correct answer is

  D. The other options are not relevant or helpful for solving the VoIP traffic issue: Disable ALG under H.323 application: This option would disable ALG for H.323 protocol, which is another VoIP protocol, but not the one used in this scenario. The scenario mentions SIP as the signaling protocol, so disabling ALG under

  H.323 application would have no effect on the VoIP traffic issue. Increase the TCP timeout under H.323 application: This option would increase the TCP timeout for H.323 protocol, which is another VoIP protocol, but not the one used in this scenario. The scenario mentions SIP as the signaling protocol, which uses UDP by default, so increasing the TCP timeout under H.323 application would have no effect on the VoIP traffic issue. Increase the TCP timeout under SIP application: This option would increase the TCP timeout for SIP protocol, which is the signaling protocol used in this scenario. However, SIP uses UDP by default, so increasing the TCP timeout would have no effect on the VoIP traffic issue. Moreover, increasing the TCP timeout would not address the problem of NAT on the voice packets payload and dynamic pinholes for media ports.

  References:

  1: https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/app-id/disable-the-sip-application-level-gateway-alg

  2: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClEsCAK