Palo Alto Networks Palo Alto Networks Certifications PCNSE Questions & Answers

• Question 21:

  Which three external authentication services can the firewall use to authenticate admins into the Palo Alto Networks NGFW without creating administrator account on the firewall? (Choose three.)

  A. RADIUS

  B. TACACS+

  C. Kerberos

  D. LDAP

  E. SAML

  Correct Answer: ABE

  According to the Palo Alto Networks documentation1, the firewall can use three external authentication services to authenticate admins into the Palo Alto Networks NGFW without creating administrator accounts on the firewall: RADIUS,

  TACACS+, and SAML. These services allow the firewall to verify the credentials of admins against an external server and grant them access based on their assigned roles and permissions.

  Therefore, the correct answer is A, B, and E.

  The other options are not external authentication services that the firewall can use to authenticate admins:

  Kerberos: This option is not an external authentication service that the firewall can use to authenticate admins. Kerberos is a protocol that allows users to access network resources using a single sign-on mechanism. The firewall can use

  Kerberos to authenticate users for GlobalProtect VPN or Captive Portal, but not for admin access.

  LDAP: This option is not an external authentication service that the firewall can use to authenticate admins. LDAP is a protocol that allows querying and modifying directory services over a network. The firewall can use LDAP to retrieve user

  and group information from an external server, but not to authenticate admins.

  References:

  https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/authentication/authentication-types/external-authentication-services

  https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/authentication/authentication-types/kerberos-authentication

  https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/user-id/map-ip-addresses-to-users/map-ip-addresses-to-users-using-an-ldap-server

• Question 22:

  An engineer configures a specific service route in an environment with multiple virtual systems instead of using the inherited global service route configuration.

  What type of service route can be used for this configuration?

  A. IPv6 Source or Destination Address

  B. Destination-Based Service Route

  C. IPv4 Source Interface

  D. Inherit Global Setting

  Correct Answer: C

  The IPv4 Source Interface service route allows the administrator to specify a source interface for a service based on the virtual system. This option overrides the inherited global service route configuration and provides more granular control over the service routes for each virtual system. References: https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/virtual-systems/customize-service-routes-for-a-virtual-system.html

• Question 23:

  A company wants to add threat prevention to the network without redesigning the network routing.

  What are two best practice deployment modes for the firewall? (Choose two.)

  A. Virtual Wire

  B. Layer3

  C. TAP

  D. Layer2

  Correct Answer: AD

  VirtualWire and Layer2 deployment modes allow the firewall to act as a bump in the wire without changing the existing network routing. In VirtualWire mode, the firewall bridges two interfaces and passes traffic between them without any IP-layer processing. In Layer2 mode, the firewall acts as a transparent switch and processes traffic at Layer2 of the OSI model.

  References: https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/networking/configure-interfaces/virtual-wire-deployments.html https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/networking/configure-interfaces/layer-2-deployments.html

• Question 24:

  Which two profiles should be configured when sharing tags from threat logs with a remote User-ID agent? (Choose two.)

  A. Log Ingestion

  B. HTTP

  C. Log Forwarding

  D. LDAP

  Correct Answer: BC

  Threat logs, create a log forwarding profile to define how you want the firewall or Panorama to handle logs. Configure an HTTP server profile to forward logs to a remote User-ID agent. Select the log forwarding profile you created then select this server profile as the HTTP server profile https://docs.paloaltonetworks.com/pan-os/11-0/pan-os-admin/policy/use-auto-tagging-to-automate-security-actions

• Question 25:

  In the New App Viewer under Policy Optimizer, what does the compare option for a specific rule allow an administrator to compare?

  A. The running configuration with the candidate configuration of the firewall

  B. Applications configured in the rule with their dependencies

  C. Applications configured in the rule with applications seen from traffic matching the same rule

  D. The security rule with any other security rule selected

  Correct Answer: C

  The compare option for a specific rule in the New App Viewer under Policy Optimizer allows an administrator to compare the applications configured in the rule with the applications seen from traffic matching the same rule. This option helps the administrator to identify any discrepancies between the intended and actual applications allowed by the rule. The administrator can then optimize the rule by adding or removing applications as needed. Option A is incorrect because the compare option does not compare the running configuration with the candidate configuration of the firewall. That is done by using the Commit > Commit and Push option. Option B is incorrect because the compare option does not compare applications configured in the rule with their dependencies. That is done by using the App Dependencies tab under Policy Optimizer. Option D is incorrect because the compare option does not compare the security rule with any other security rule selected. That is done by using the Compare Rules option under Policies > Security.

• Question 26:

  A network security administrator wants to inspect HTTPS traffic from users as it egresses through a firewall to the Internet/Untrust zone from trusted network zones.

  The security admin wishes to ensure that if users are presented with invalid or untrusted security certificates, the user will see an untrusted certificate warning.

  What is the best choice for an SSL Forward Untrust certificate?

  A. A web server certificate signed by the organization's PKI

  B. A self-signed certificate generated on the firewall

  C. A subordinate Certificate Authority certificate signed by the organization's PKI

  D. A web server certificate signed by an external Certificate Authority

  Correct Answer: B

  B is the best choice for an SSL Forward Untrust certificate because a self-signed certificate generated on the firewall is not trusted by any client browsers by default1. This means that if the firewall observes an invalid or untrusted security certificate from the server, it will present the self-signed certificate to the client, which will trigger an untrusted certificate warning2. This way, the security admin can ensure that users are aware of any potential risks when accessing HTTPS sites with untrusted certificates.

  A web server certificate signed by the organization's PKI (A) or a subordinate Certificate Authority certificate signed by the organization's PKI ?are not good choices for an SSL Forward Untrust certificate because they are trusted by the client browsers that have the organization's root CA installed1. This means that if the firewall observes an invalid or untrusted security certificate from the server, it will present the web server or subordinate CA certificate to the client, which will not trigger an untrusted certificate warning2. This way, the security admin cannot ensure that users are aware of any potential risks when accessing HTTPS sites with untrusted certificates.

  A web server certificate signed by an external Certificate Authority (D) is not a good choice for an SSL Forward Untrust certificate because it is trusted by most client browsers that have the external CA in their trust store1. This means that if the firewall observes an invalid or untrusted security certificate from the server, it will present the web server certificate to the client, which will not trigger an untrusted certificate warning2. This way, the security admin cannot ensure that users are aware of any potential risks when accessing HTTPS sites with untrusted certificates.

  Verified References:

  1: How to Configure SSL Decryption - Palo Alto Networks Knowledge Base

  2: How to Implement and Test SSL Decryption - Palo Alto Networks Knowledge Base

• Question 27:

  As a best practice, logging at session start should be used in which case?

  A. On all Allow rules

  B. While troubleshooting

  C. Only when log at session end is enabled

  D. Only on Deny rules

  Correct Answer: B

  Logging at session start should be used as a best practice while troubleshooting. Logging at session start allows the administrator to see the logs for sessions that are initiated but not completed, such as sessions that are dropped or blocked by the firewall. This can help the administrator to identify and resolve issues with network connectivity or firewall configuration. Logging at session start should not be used for normal operations because it generates more logs and consumes more resources on the firewall. Option A is incorrect because logging at session start should not be used on all Allow rules. Logging at session end is sufficient for Allow rules because it provides information about the completed sessions, such as bytes and packets transferred, application, user, and threat information. Option C is incorrect because logging at session start can be used independently of logging at session end. Logging at session start and logging at session end are not mutually exclusive options. Option D is incorrect because logging at session start should not be used only on Deny rules. Logging at session end is sufficient for Deny rules because it provides information about the denied sessions, such as source and destination IP addresses, ports, and protocol.

• Question 28:

  When an engineer configures an active/active high availability pair, which two links can they use? (Choose two)

  A. HSCI-C

  B. Console Backup

  C. HA3

  D. HA2 backup

  Correct Answer: CD

  These are the two links that can be used to configure an active/active high availability pair. An active/active high availability pair consists of two firewalls that are both active and share the traffic load between them1. To configure an active/

  active high availability pair, the following links are required2:

  HA1: This is the control link that is used for exchanging heartbeat messages and configuration synchronization between the firewalls. It can be a dedicated interface or a subinterface. It can also have a backup link for redundancy. HA2: This is

  the data link that is used for forwarding sessions from one firewall to another in case of failover or load balancing. It can be a dedicated interface or a subinterface. It can also have a backup link for redundancy. HA3: This is the session owner

  synchronization link that is used for synchronizing session information between the firewalls in different virtual systems. It can be a dedicated interface or a subinterface. It is only required for active/active high availability pairs, not for active/

  passive pairs.

  https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/high-availability/set-up-activeactive-ha/prerequisites-for-activeactive-ha

• Question 29:

  Given the following snippet of a WildFire submission log did the end-user get access to the requested information and why or why not?

  

  A. Yes, because the action is set to alert

  B. No, because this is an example from a defeated phishing attack

  C. No, because the severity is high and the verdict is malicious.

  D. Yes, because the action is set to allow.

  Correct Answer: D

  As long as the action is set to allow, then it will still allow it. Threats that have the ability to become critical but have mitigating factors; for example, they may be difficult to exploit, do not result in elevated privileges, or do not have a large victim pool. WildFire Submissions log entries with a malicious verdict and an action set to allow are logged as High. https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/monitoring/view-and-manage-logs/log-types-and-severity-levels/ threat-logs#id5cea1511-a153-4005-9d5f-ab2482e838ae

• Question 30:

  What can be used as an Action when creating a Policy-Based Forwarding (PBF) policy?

  A. Deny

  B. Discard

  C. Allow

  D. Next VR

  Correct Answer: B

  Set the Action to take when matching a packet:

  Forward-Directs the packet to the specified Egress Interface. Forward to VSYS (On a firewall enabled for multiple virtual systems)--Select the virtual system to which to forward the packet.

  Discard--Drops the packet.

  No PBF-Excludes packets that match the criteria for source, destination, application, or service defined in the rule. Matching packets use the route table instead of PBF; the firewall uses the route table to exclude the matched traffic from the

  redirected port.

  https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/policy/policy-based-forwarding/create-a-policy-based-forwarding-rule#ideca3cc65-03d7-449d-b47a- 90fabee5293c