Palo Alto Networks Palo Alto Networks Certifications PCNSE Questions & Answers

• Question 321:

  An administrator is configuring a Panorama device group

  Which two objects are configurable? (Choose two )

  A. DNS Proxy

  B. Address groups

  C. SSL/TLS roles

  D. URL Filtering profiles

  Correct Answer: BD

  URL filtering is a feature in Palo Alto Networks firewalls that allows administrators to block access to specific URLs [1]. This feature can be configured via four different objects: Custom URL categories in URL Filtering profiles, PAN-DB URL

  categories in URL Filtering profiles, External Dynamic Lists (EDL) in URL Filtering profiles, and Custom URL categories in Security policy rules. The evaluation order for URL filtering is:

  Custom URL categories in URL Filtering profile, PAN-DB URL categories in URL Filtering profile, EDL in URL Filtering profile, and Custom URL category in Security policy rule. This information can be found in the Palo Alto Networks PCNSE

  Study Guide, which can be accessed here: https://www.paloaltonetworks.com/documentation/80/pan-os/pan-os/resource-library/palo-alto-networks-pcnse-study-guide.html.

• Question 322:

  An engineer discovers the management interface is not routable to the User-ID agent What configuration is needed to allow the firewall to communicate to the User-ID agent?

  A. Create a NAT policy for the User-ID agent server

  B. Add a Policy Based Forwarding (PBF) policy to the User-ID agent IP

  C. Create a custom service route for the UID Agent

  D. Add a static route to the virtual router

  Correct Answer: C

  To allow the firewall to communicate with the User-ID agent, you need to configure a custom service route for the UID Agent23. A custom service route allows you to specify which interface and source IP address the firewall uses to connect

  to a specific destination service. By default, the firewall uses its management interface for services such as User-ID, but you can override this behavior by creating a custom service route. To configure a custom service route for the UID Agent,

  you need to do the following steps:

  Go to Device > Setup > Services and click Service Route Configuration. In the Service column, select User-ID Agent from the drop-down list. In the Interface column, select an interface that can reach the User-ID agent server from the drop-

  down list.

  In the Source Address column, select an IP address that belongs to that interface from the drop-down list.

  Click OK and Commit your changes.

  The correct answer is C. Create a custom service route for UID Agent

• Question 323:

  A network security engineer configured IP multicast in the virtual router to support a new application. Users in different network segments are reporting that they are unable to access the application.

  What must be enabled to allow an interface to forward multicast traffic?

  A. IGMP

  B. PIM

  C. BFD

  D. SSM

  Correct Answer: B

  A protocol that enables routers to forward multicast traffic efficiently based on the source and destination addresses. PIM can operate in two modes: sparse mode (PIM- SM) or dense mode (PIM-DM). PIM-SM uses a rendezvous point (RP) as a central point for distributing multicast traffic, while PIM-DM uses flooding and pruning techniques2. to enable PIM on the interface which allows routers to forward multicast traffic using either sparse mode or dense mode depending on your network topology and requirements.

• Question 324:

  An organization conducts research on the benefits of leveraging the Web Proxy feature of PAN-OS 11.0. What are two benefits of using an explicit proxy method versus a transparent proxy method? (Choose two.)

  A. No client configuration is required for explicit proxy, which simplifies the deployment complexity.

  B. Explicit proxy allows for easier troubleshooting, since the client browser is aware of the existence of the proxy.

  C. Explicit proxy supports interception of traffic using non-standard HTTPS ports.

  D. It supports the X-Authenticated-User (XAU) header, which contains the authenticated username in the outgoing request

  Correct Answer: BD

  https://docs.paloaltonetworks.com/prisma/prisma-access/prisma-access-cloud-managed-admin/secure-mobile-users-with-prisma-access/explicit-proxy/explicit-proxy-how-it-works https://docs.paloaltonetworks.com/pan-os/11-0/pan-os-newfeatures/networking-features/web-proxy

• Question 325:

  An engineer receives reports from users that applications are not working and that websites are only partially loading in an asymmetric environment. After investigating, the engineer observes the flow_tcp_non_syn_drop counter increasing in the show counters global output.

  Which troubleshooting command should the engineer use to work around this issue?

  A. set deviceconfig setting tcp asymmetric-path drop

  B. set deviceconfig setting session tcp-reject-non-syn no

  C. set session tcp-reject-non-syn yes

  D. set deviceconfig setting tcp asymmetric-path bypass

  Correct Answer: B

  To work around this issue, one possible troubleshooting command is set deviceconfig setting session tcp-reject-non-syn no which disables TCP reject non-SYN temporarily (until reboot)4. This command allows non-SYN first packet through without dropping it. The flow_tcp_non_syn_drop counter increases when the firewall receives packets with the ACK flag set, but not the SYN flag, which indicates asymmetric traffic flow. The tcp-reject- non-syn option enables or disables the firewall to drop non-SYN TCP packets. In this case, disabling the tcp-reject-non-syn option using the "set deviceconfig setting session tcp- reject-non-syn no" command can help work around the issue. This allows the firewall to accept non-SYN packets and create a session for the existing flow.

• Question 326:

  Which source is the most reliable for collecting User-ID user mapping?

  A. GlobalProtect

  B. Microsoft Active Directory

  C. Microsoft Exchange

  D. Syslog Listener

  Correct Answer: A

  User-ID is a feature that enables you to identify and control users on your network based on their usernames instead of their IP addresses. User mapping is the process of mapping IP addresses to usernames using various sources of information. The most reliable source for collecting User-ID user mapping is GlobalProtect. GlobalProtect is a solution that provides secure access to your network and resources from anywhere. GlobalProtect agents on endpoints send user mapping information directly to the firewall or Panorama, which eliminates the need for probing other sources. GlobalProtect also supports dynamic IP address changes and roaming users.

• Question 327:

  Where is Palo Alto Networks Device Telemetry data stored on a firewall with a device certificate installed?

  A. Cortex Data Lake

  B. Panorama

  C. On Palo Alto Networks Update Servers

  D. M600 Log Collectors

  Correct Answer: A

  The Device Telemetry data is stored on Cortex Data Lake3, which is a cloud- based service that collects and stores logs from your firewalls and other sources. Cortex Data Lake also enables you to analyze and visualize your data using various applications. To use Device Telemetry, you need to install a device certificate on your firewall3. This certificate authenticates your firewall to Cortex Data Lake and encrypts the data in transit.

• Question 328:

  A company has configured GlobalProtect to allow their users to work from home. A decrease in performance for remote workers has been reported during peak-use hours. Which two steps are likely to mitigate the issue? (Choose TWO)

  A. Exclude video traffic

  B. Enable decryption

  C. Block traffic that is not work-related

  D. Create a Tunnel Inspection policy

  Correct Answer: AC

  This is because excluding video traffic from being sent over the VPN will reduce the amount of bandwidth being used during peak hours, allowing more bandwidth to be available for other types of traffic. Blocking non-work related traffic will also reduce the amount of bandwidth being used, further freeing up bandwidth for work-related traffic. Enabling decryption and creating a Tunnel Inspection policy are not likely to mitigate the issue of decreased performance during peak-use hours, as they do not directly address the issue of limited bandwidth availability during these times.

  https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PP3ICAW

• Question 329:

  An engineer reviews high availability (HA) settings to understand a recent HA failover event. Review the screenshot below.

  

  Which timer determines the frequency at which the HA peers exchange messages in the form of an ICMP (ping)

  A. Heartbeat Interval

  B. Additional Master Hold Up Time

  C. Promotion Hold Time

  D. Monitor Fall Hold Up Time

  Correct Answer: C

  https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/high-availability/ha-concepts/ha-timers

• Question 330:

  Which log type will help the engineer verify whether packet buffer protection was activated?

  A. Data Filtering

  B. Configuration

  C. Threat

  D. Traffic

  Correct Answer: C

  The log type that will help the engineer verify whether packet buffer protection was activated is Threat Logs. Threat Logs are logs generated by the Palo Alto Networks firewall when it detects a malicious activity on the network. These logs contain information about the source, destination, and type of threat detected. They also contain information about the packet buffer protection that was activated in response to the detected threat. This information can help the engineer verify that packet buffer protection was activated and determine which actions were taken in response to the detected threat.