Palo Alto Networks Palo Alto Networks Certifications PCNSE Questions & Answers

• Question 271:

  An engineer is bootstrapping a VM-Series Firewall Other than the 'config folder, which three directories are mandatory as part of the bootstrap package directory structure? (Choose three.)

  A. /software

  B. /opt

  C. /license

  D. /content

  E. /plugins

  Correct Answer: ACD

  https://docs.paloaltonetworks.com/vm-series/9-1/vm-series-deployment/bootstrap-the-vm-series-firewall/prepare-the-bootstrap-package

• Question 272:

  Review the screenshot of the Certificates page.

  

  An administrator tor a small LLC has created a series of certificates as shown, to use tor a planned Decryption roll out The administrator has also installed the sell-signed root certificate

  A. The forward trust certificate has not been signed by the set-singed root CA certificate

  B. The self-signed CA certificate has the same CN as the forward trust and untrust certificates

  C. The forward untrust certificate has not been signed by the self-singed root CA certificate

  D. The forward trust certificate has not been installed in client systems

  Correct Answer: A

  The cause of the unsecured website warnings is that the forward trust certificate has not been signed by the self-signed root CA certificate. The forward trust certificate is used by the firewall to generate a copy of the server certificate for outbound SSL decryption (SSL Forward Proxy). The firewall signs the copy with the forward trust certificate and presents it to the client. The client then verifies the signature using the public key of the CA that issued the forward trust certificate. If the client does not trust the CA, it will display a warning message. Therefore, the forward trust certificate must be signed by a CA that is trusted by the client. In this case, the administrator has installed the self-signed root CA certificate in all client systems, so this CA should be used to sign the forward trust certificate. However, as shown in the screenshot, the forward trust certificate has a different issuer than the self-signed root CA certificate, which means it has not been signed by it. This causes the client to reject the signature and show a warning message. To fix this issue, the administrator should generate a new forward trust certificate and sign it with the self-signed root CA certificate.

  References: Keys and Certificates for Decryption Policies, How to Configure SSL Decryption https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/decryption/configure-ssl-forward-proxy

• Question 273:

  The decision to upgrade to PAN-OS 10.2 has been approved. The engineer begins the process by upgrading the Panorama servers, but gets an error when trying to install. When performing an upgrade on Panorama to PAN-OS 10.2, what is the potential cause of a failed install?

  A. Management only mode

  B. Expired certificates

  C. Outdated plugins

  D. GlobalProtect agent version

  Correct Answer: C

  https://docs.paloaltonetworks.com/pan-os/11-0/pan-os-upgrade/upgrade-panorama-plugins/panorama-plugins-upgrade-downgrade-considerations Before you upgrade to PAN-OS 11.0, you must download the Panorama plugin version supported on PAN-OS 11.0 for all plugins installed on Panorama. This is required to successfully upgrade to PAN-OS 11.0. See the Compatibility Matrixfor more information.

• Question 274:

  An engineer is designing a deployment of multi-vsys firewalls.

  What must be taken into consideration when designing the device group structure?

  A. Multiple vsys and firewalls can be assigned to a device group, and a multi-vsys firewall must have all its vsys in a single device group.

  B. Only one vsys or one firewall can be assigned to a device group, except for a multi-vsys firewall, which must have all its vsys in a single device group.

  C. Multiple vsys and firewalls can be assigned to a device group, and a multi-vsys firewall can have each vsys in a different device group.

  D. Only one vsys or one firewall can be assigned to a device group, and a multi-vsys firewall can have each vsys in a different device group.

  Correct Answer: C

  A device group is a logical grouping of firewalls that share the same security policy rules. A device group can contain multiple vsys and firewalls, including multi-vsys firewalls. A multi-vsys firewall can have each vsys in a different device group, depending on the desired security policy for each vsys. This allows for granular control and flexibility in managing multi-vsys firewalls with Panorama1. References: Device Group Push to a Multi-VSYS Firewall, Configure Virtual Systems, PCNSE Study Guide (page 50)

• Question 275:

  A network security administrator wants to begin inspecting bulk user HTTPS traffic flows egressing out of the internet edge firewall. Which certificate is the best choice to configure as an SSL Forward Trust certificate?

  A. A self-signed Certificate Authority certificate generated by the firewall

  B. A Machine Certificate for the firewall signed by the organization's PKI

  C. A web server certificate signed by the organization's PKI

  D. A subordinate Certificate Authority certificate signed by the organization's PKI

  Correct Answer: D

  Regardless of whether you generate Forward Trust certificates from your Enterprise Root CA or use a self-signed certificate generated on the firewall, generate a separate subordinate Forward Trust CA certificate for each firewall. The flexibility of using separate subordinate CAs enables you to revoke one certificate when you decommission a device (or device pair) without affecting the rest of the deployment and reduces the impact in any situation in which you need to revoke a certificate. Separate Forward Trust CAs on each firewall also helps troubleshoot issues because the CA error message the user sees includes information about the firewall the traffic is traversing. If you use the same Forward Trust CA on every firewall, you lose the granularity of that information.

  https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/decryption/configure-ssl-forward-proxy

• Question 276:

  After configuring HA in Active/Passive mode on a pair of firewalls the administrator gets a failed commit with the following details.

  

  What are two explanations for this type of issue? (Choose two)

  A. The peer IP is not included in the permit list on Management Interface Settings

  B. The Backup Peer HA1 IP Address was not configured when the commit was issued

  C. Either management or a data-plane interface is used as HA1-backup

  D. One of the firewalls has gone into the suspended state

  Correct Answer: BC

  Cause The issue is seen when the HA1-backup is configured with either management (MGT) or an in-band interface. The "Backup Peer HA1 IP Address" is not configured : https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u0000008UmPCA Uandlang=en_US%E2%80%A9

• Question 277:

  With the default TCP and UDP settings on the firewall, what will be the identified application in the following session?

  

  A. Incomplete

  B. unknown-udp

  C. Insufficient-data

  D. not-applicable

  Correct Answer: B

  t is a UDP connection on port 443. This would trigger unknown-udp. Incomplete is used in TCP connections only. https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClibCAC

• Question 278:

  An administrator creates an application-based security policy rule and commits the change to the firewall. Which two methods should be used to identify the dependent applications for the respective rule? (Choose two.)

  A. Use the show predefined xpath command and review the output.

  B. Review the App Dependency application list from the Commit Status view.

  C. Open the security policy rule and review the Depends On application list.

  D. Reference another application group containing similar applications.

  Correct Answer: BC

  These two methods allow the administrator to see the dependent applications for a security policy rule that uses application-based criteria. The App Dependency application list shows the applications that are required for the rule to function properly. The Depends On application list shows the applications that are implicitly added to the rule based on the predefined dependencies.

  References: https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-new-features/app-id-features/simplified-application-dependency-workflow https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/app-id/use-application-objects-in-policy/resolve-application-dependencies

• Question 279:

  Refer to the exhibit.

  

  Using the above screenshot of the ACC, what is the best method to set a global filter, narrow down Blocked User Activity, and locate the user(s) that could be compromised by a botnet?

  A. Click the hyperlink for the Zero Access.Gen threat.

  B. Click the left arrow beside the Zero Access.Gen threat.

  C. Click the source user with the highest threat count.

  D. Click the hyperlink for the hotport threat Category.

  Correct Answer: B

  Hover over an attribute in the table below the chart and click the arrow icon to the right of the attribute. https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/monitoring/use-the-application-command-center/interact-with-the-acc#id5cc39dae-04cf-4936-9916-1a4b0f3179b9

• Question 280:

  Four configuration choices are listed, and each could be used to block access to a specific URL.

  If you configured each choice to block the same URL, then which choice would be evaluated last in the processing order to block access to the URL?

  A. PAN-DB URL category in URL Filtering profile

  B. Custom URL category in Security policy rule

  C. Custom URL category in URL Filtering profile

  D. EDL in URL Filtering profile

  Correct Answer: A