Palo Alto Networks PCNSE Online Practice Questions and Exam Preparation

Palo Alto Networks PCNSE Online Questions & Answers

• Question 281:

  Which three actions can Panorama perform when deploying PAN-OS images to its managed devices? (Choose three.)

  A. upload-only
  B. upload and install and reboot
  C. verify and install
  D. upload and install
  E. install and reboot
  A. upload-only
  B. upload and install and reboot
  D. upload and install

  ---

  Explanation

  In Panorama after you download the software you have the install button and then you are choosing devices.

  By default it is uploading and installing the software, but there is a check box if you want to upload the software only, and there is another check box if you want to reboot the device after installation.

• Question 282:

  An administrator sees several inbound sessions identified as unknown-tcp in the Traffic logs. The administrator determines that these sessions are form external users accessing the company's proprietary accounting application. The administrator wants to reliably identify this traffic as their accounting application and to scan this traffic for threats.

  Which option would achieve this result?

  A. Create a custom App-ID and enable scanning on the advanced tab.
  B. Create an Application Override policy.
  C. Create a custom App-ID and use the "ordered conditions" check box.
  D. Create an Application Override policy and custom threat signature for the application.
  A. Create a custom App-ID and enable scanning on the advanced tab.

  ---

  Explanation

  https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClRoCAK

• Question 283:

  Which two methods can be used to verify firewall connectivity to AutoFocus? (Choose two.)

  A. Verify AutoFocus status using the CLI test command.
  B. Check the WebUI Dashboard AutoFocus widget.
  C. Check for WildFire forwarding logs.
  D. Check the license.
  E. Verify AutoFocus is enabled below Device Management tab.
  D. Check the license.
  E. Verify AutoFocus is enabled below Device Management tab.

  ---

  Explanation

  https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/threat-prevention/learn-more-about-and-assess-threats/assess-firewall-artifacts-with-autofocus/enable-autofocus-threat-intelligence#id9ac4f191-abbf-4483-8a43-57bc137038ce

• Question 284:

  Which four NGFW multi-factor authentication factors are supported by PAN-OS? (Choose four.)

  A. Short message service
  B. Push
  C. User logon
  D. Voice
  E. SSH key
  F. One-Time Password
  A. Short message service
  B. Push
  D. Voice
  F. One-Time Password

  ---

  Explanation

  https://docs.paloaltonetworks.com/pan-os/8-0/pan-os-admin/authentication/authentication-types/multi-factor-authentication Push -An endpoint device (such as a phone or tablet) prompts the user to allow or deny authentication. Short

  message service (SMS) -An SMS message on the endpoint device prompts the user to allow or deny authentication. In some cases, the endpoint device provides a code that the user must enter in the MFA login page.

  Voice -An automated phone call prompts the user to authenticate by pressing a key on the phone or entering a code in the MFA login page.

  One-time password (OTP) -An endpoint device provides an automatically generated alphanumeric string, which the user enters in the MFA login page to enable authentication for a single transaction or session.

  https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/authentication/authentication-types/multi-factor-authentication.html#idbc927952-a47e-4bec-ab80-0605a47b4873

• Question 285:

  A network design calls for a "router on a stick" implementation with a PA-5060 performing inter-VLAN routing All VLAN-tagged traffic will be forwarded to the PA-5060 through a single dot1q trunk interface.

  Which interface type and configuration setting will support this design?

  A. Trunk interface type with specified tag
  B. Layer 3 interface type with specified tag
  C. Layer 2 interface type with a VLAN assigned
  D. Layer 3 subinterface type with specified tag
  D. Layer 3 subinterface type with specified tag

  ---

  Explanation

• Question 286:

  An organization wants to begin decrypting guest and BYOD traffic.

  Which NGFW feature can be used to identify guests and BYOD users, instruct them how to download and install the CA certificate, and clearly notify them that their traffic will be decrypted?

  A. Authentication Portal
  B. SSL Decryption profile
  C. SSL decryption policy
  D. comfort pages
  A. Authentication Portal

  ---

  Explanation

  An authentication portal is a feature that can be used to identify guests and BYOD users, instruct them how to download and install the CA certificate, and clearly notify them that their traffic will be decrypted. An authentication portal is a web page that the firewall displays to users who need to authenticate before accessing the network or the internet. The authentication portal can be customized to include a welcome message, a login prompt, a disclaimer, a certificate download link, and a logout button. The authentication portal can also be configured to use different authentication methods, such as local database, RADIUS, LDAP, Kerberos, or SAML. By using an authentication portal, the firewall can redirect BYOD users to a web page where they can learn about the decryption policy, download and install the CA certificate, and agree to the terms of use before accessing the network or the internet.

  An SSL decryption profile is not a feature that can be used to identify guests and BYOD users, instruct them how to download and install the CA certificate, and clearly notify them that their traffic will be decrypted. An SSL decryption profile is a set of options that define how the firewall handles SSL/TLS traffic that it decrypts. An SSL decryption profile can include settings such as certificate verification, unsupported protocol handling, session caching, session resumption, algorithm selection, etc. An SSL decryption profile does not provide any user identification or notification functions.

  An SSL decryption policy is not a feature that can be used to identify guests and BYOD users, instruct them how to download and install the CA certificate, and clearly notify them that their traffic will be decrypted. An SSL decryption policy is a set of rules that determine which traffic the firewall decrypts based on various criteria, such as source and destination zones, addresses, users, applications, services, etc. An SSL decryption policy can also specify which type of decryption to apply to the traffic, such as SSL Forward Proxy, SSL Inbound Inspection, or SSH Proxy4. An SSL decryption policy does not provide any user identification or notification functions.

  Comfort pages are not a feature that can be used to identify guests and BYOD users, instruct them how to download and install the CA certificate, and clearly notify them that their traffic will be decrypted. Comfort pages are web pages that the firewall displays to users when it blocks or fails to decrypt certain traffic due to security policy or technical reasons. Comfort pages can include information such as the reason for blocking or failing to decrypt the traffic, the URL of the original site, the firewall serial number, etc5. Comfort pages do not provide any user identification or notification functions before decrypting the traffic.

• Question 287:

  The decision to upgrade to PAN-OS 10.2 has been approved. The engineer begins the process by upgrading the Panorama servers, but gets an error when trying to install. When performing an upgrade on Panorama to PAN-OS 10.2, what is the potential cause of a failed install?

  A. Management only mode
  B. Expired certificates
  C. Outdated plugins
  D. GlobalProtect agent version
  C. Outdated plugins

  ---

  Explanation

  https://docs.paloaltonetworks.com/pan-os/11-0/pan-os-upgrade/upgrade-panorama-plugins/panorama-plugins-upgrade-downgrade-considerations Before you upgrade to PAN-OS 11.0, you must download the Panorama plugin version supported on PAN-OS 11.0 for all plugins installed on Panorama. This is required to successfully upgrade to PAN-OS 11.0. See the Compatibility Matrixfor more information.

• Question 288:

  When an in-band data port is set up to provide access to required services, what is required for an interface that is assigned to service routes?

  A. The interface must be used for traffic to the required services
  B. You must enable DoS and zone protection
  C. You must set the interface to Layer 2 Layer 3. or virtual wire
  D. You must use a static IP address
  D. You must use a static IP address

  ---

  Explanation

• Question 289:

  An administrator with 84 firewalls and Panorama does not see any WildFire logs in Panorama.

  All 84 firewalls have an active WildFire subscription On each firewall WildFire logs are available.

  This issue is occurring because forwarding of which type of logs from the firewalls to Panorama is missing?

  A. System logs
  B. Traffic logs
  C. WildFire logs
  D. Threat logs
  C. WildFire logs

  ---

  Explanation

• Question 290:

  An administrator has been asked to create 100 virtual firewalls in a local, on-premise lab environment (not in "the cloud"). Bootstrapping is the most expedient way to perform this task. Which option describes deployment of a bootstrap package in an on-premise virtual environment?

  A. Use config-drive on a USB stick.
  B. Use an S3 bucket with an ISO.
  C. Create and attach a virtual hard disk (VHD).
  D. Use a virtual CD-ROM with an ISO.
  D. Use a virtual CD-ROM with an ISO.

  ---

  Explanation

  https://www.paloaltonetworks.com/documentation/71/pan-os/newfeaturesguide/management-features/bootstrapping-firewalls-for-rapid-deployment.html https://docs.paloaltonetworks.com/vm-series/9-0/vm-series-deployment/bootstrap-the-vm-series-firewall/bootstrap-package