Palo Alto Networks Palo Alto Networks Certifications PCNSE Questions & Answers

• Question 281:

  A network administrator is troubleshooting an issue with Phase 2 of an IPSec VPN tunnel. The administrator determines that the lifetime needs to be changed to match the peer. Where should this change be made?

  A. IKE Gateway profile

  B. IPSec Crypto profile

  C. IPSec Tunnel settings

  D. IKE Crypto profile

  Correct Answer: B

  The **IKE crypto profile** is used to set up the encryption and authentication algorithms used for the key exchange process in IKE Phase 1, and lifetime of the keys, which specifies how long the keys are valid. To invoke the profile, you must attach it to the IKE Gateway configuration.

  The **IPSec crypto profile** is invoked in IKE Phase 2. It specifies how the data is secured within the tunnel when Auto Key IKE is used to automatically generate keys for the IKE SAs.

• Question 282:

  An engineer needs to collect User-ID mappings from the company's existing proxies.

  What two methods can be used to pull this data from third party proxies? (Choose two.)

  A. Syslog

  B. XFF Headers

  C. Client probing

  D. Server Monitoring

  Correct Answer: AB

  To collect User-ID information from third-party proxies, Palo Alto Networks supports several methods of integrating user information. Syslog parsing allows the firewall to receive syslog messages from external services, parse them, and extract user information. X-Forwarded-For (XFF) headers, which are used in HTTP requests and proxies, can carry the original IP address of a client connecting through a proxy, and this information can be used by the firewall to map the user IDs.

  Syslog is commonly used for integrating third-party devices like proxies with User-ID, and XFF headers are specifically mentioned in the context of integrating user mappings from HTTP traffic. Client probing and Server Monitoring are not the correct methods for pulling data from third-party proxies.For further details, refer to the Palo Alto Networks documentation on User-ID integration and the "PAN-OS?Administrator's Guide".

• Question 283:

  A network engineer is troubleshooting a VPN and wants to verify whether the decapsulation/encapsulation counters are increasing. Which CLI command should the engineer run?

  A. Show vpn tunnel name | match encap

  B. Show vpn flow name

  C. Show running tunnel flow lookup

  D. Show vpn ipsec-sa tunnel

  Correct Answer: B

• Question 284:

  Refer to the exhibit.

  

  Review the screenshots and consider the following information:

  1.

  FW-1 is assigned to the FW-1_DG device group, and FW-2 is assigned to OFFICE_FW_DG.

  2.

  There are no objects configured in REGIONAL_DG and OFFICE_FW_DG device groups. Which IP address will be pushed to the firewalls inside Address Object Server-1?

  A. Server-1 on FW-1 will have IP 1.1.1.1. Server-1 will not be pushed to FW-2.

  B. Server-1 on FW-1 will have IP 3.3.3.3. Server-1 will not be pushed to FW-2.

  C. Server-1 on FW-1 will have IP 2.2.2.2. Server-1 will not be pushed to FW-2.

  D. Server-1 on FW-1 will have IP 4.4.4.4. Server-1 on FW-2 will have IP 1.1.1.1.

  Correct Answer: D

  FW-1 will get the value from FW-DG1 while FW-2 will get the value from the Shared DG since no values are present in its parent DGs. https://docs.paloaltonetworks.com/panorama/9-1/panorama-admin/manage-firewalls/manage-devicegroups/manage-precedence-of-inherited-objects

• Question 285:

  A system administrator runs a port scan using the company tool as part of vulnerability check. The administrator finds that the scan is identified as a threat and is dropped by the firewall. After further investigating the logs, the administrator finds that the scan is dropped in the Threat Logs.

  What should the administrator do to allow the tool to scan through the firewall?

  A. Remove the Zone Protection profile from the zone setting.

  B. Add the tool IP address to the reconnaissance protection source address exclusion in the Zone Protection profile.

  C. Add the tool IP address to the reconnaissance protection source address exclusion in the DoS Protection profile.

  D. Change the TCP port scan action from Block to Alert in the Zone Protection profile.

  Correct Answer: B

• Question 286:

  What is the dependency for users to access services that require authentication?

  A. An Authentication profile that includes those services

  B. Disabling the authentication timeout

  C. An authentication sequence that includes those services

  D. A Security policy allowing users to access those services

  Correct Answer: D

• Question 287:

  An administrator is using Panorama to manage me and suspects an IKE Crypto mismatch between peers, from the firewalls to Panorama. However, pre-existing logs from the firewalls are not appearing in Panorama. Which action should be taken to enable the firewalls to send their pre-existing logs to Panorama?

  A. Export the log database.

  B. Use the import option to pull logs.

  C. Use the ACC to consolidate the logs.

  D. Use the scp logdb export command.

  Correct Answer: A

  https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-cli-quick-start/use-the-cli/use-secure-copy-to-import-and-export-files/export-and-import-a-complete-log-database-logdb

• Question 288:

  An engineer needs to configure SSL Forward Proxy to decrypt traffic on a PA-5260. The engineer uses a forward trust certificate from the enterprise PKI that expires December 31, 2025. The validity date on the PA-generated certificate is taken from what?

  A. The trusted certificate

  B. The server certificate

  C. The untrusted certificate

  D. The root CA

  Correct Answer: B

• Question 289:

  An engineer has been given approval to upgrade their environment 10 PAN-OS 10 2 The environment consists of both physical and virtual firewalls a virtual Panorama HA pair, and virtual log collectors

  What is the recommended order when upgrading to PAN-OS 10.2?

  A. Upgrade Panorama, upgrade the log collectors, upgrade the firewalls

  B. Upgrade the firewalls upgrade log collectors, upgrade Panorama

  C. Upgrade the firewalls upgrade Panorama, upgrade the log collectors

  D. Upgrade the log collectors, upgrade the firewalls, upgrade Panorama

  Correct Answer: A

  Make sure Panorama is running the same or a later PAN-OS version than you are upgrading to. You must upgrade Panorama and its Log Collectors to 10.2 before upgrading the managed firewalls to this version. In addition, when upgrading Log Collectors to 10.2, you must upgrade all Log Collectors at the same time due to changes in the logging infrastructure.

  https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-upgrade/upgrade-pan-os/upgrade-the-firewall-pan-os/upgrade-firewalls-using-panorama

• Question 290:

  An administrator wants to grant read-only access to all firewall settings, except administrator accounts, to a new-hire colleague in the IT department. Which dynamic role does the administrator assign to the new-hire colleague?

  A. Device administrator (read-only)

  B. System administrator (read-only)

  C. Firewall administrator (read-only)

  D. Superuser (read-only)

  Correct Answer: A