Palo Alto Networks PCNSE Online Practice Questions and Exam Preparation

Palo Alto Networks PCNSE Online Questions & Answers

• Question 321:

  A firewall administrator is trying to identify active routes learned via BGP in the virtual router runtime stats within the GUI. Where can they find this information?

  A. routes listed in the routing table with flags
  B. routes listed in the routing table with flags AB
  C. under the BGP Summary tab
  D. routes listed in the forwarding table with BGP in the Protocol column
  B. routes listed in the routing table with flags AB

  ---

  Explanation

  Flags AB--Active and learned via BGP A C--Active and a result of an internal interface (connected) -Destination = network A H--Active and a result of an internal interface (connected) -Destination = Host only A R--Active and learned via RIP A S--Active and static S--Inactive (because this route has a higher metric) and static O1--OSPF external type-1 O2--OSPF external type-2 Oi--OSPF intra-area Oo--OSPF inter-area

• Question 322:

  An administrator wants multiple web servers in the DMZ to receive connections initiated from the internet. Traffic destined for 206.15.22.9 port 80/TCP needs to be forwarded to the server at 10.1.1.22

  

  Based on the information shown in the image, which NAT rule will forward web-browsing traffic correctly?

  

  A. Option A
  B. Option B
  C. Option C
  D. Option D
  C. Option C

  ---

  Explanation

  NAT zones are just whatever interface traffic is going to. The source (the big cloud internet) is obviously internet, and the destination zone is the internet facing interface of the firewall, so the destination is also internet. It then is translated into an IP that the internal network can read.

• Question 323:

  A network administrator is trying to prevent domain username and password submissions to phishing sites on some allowed URL categories Which set of steps does the administrator need to take in the URL Filtering profile to prevent credential phishing on the firewall?

  A. Choose the URL categories on Site Access column and set action to block Click the User credential Detection tab and select IP User Mapping Commit
  B. Choose the URL categories in the User Credential Submission column and set action to block Select the User credential Detection tab and select use IP User Mapping Commit
  C. Choose the URL categories in the User Credential Submission column and set action to block Select the URL filtering settings and enable Domain Credential Filter Commit
  D. Choose the URL categories in the User Credential Submission column and set action to block Select the User credential Detection tab and select Use Domain Credential Filter Commit
  D. Choose the URL categories in the User Credential Submission column and set action to block Select the User credential Detection tab and select Use Domain Credential Filter Commit

  ---

  Explanation

  credential phishing prevention works by scanning username and password submissions to websites and comparing those submissions to known corporate credentials. You can configure solutions that detect and prevent credential phishing using URL filtering profiles and User-ID agents. https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/url-filtering/prevent-credential-phishing/set-up-credential-phishing-prevention

• Question 324:

  When you troubleshoot an SSL Decryption issue, which PAN-OS CLI command do you use to check the details of the Forward Trust certificate, Forward Untrust certificate, and SSL Inbound Inspection certificate?

  A. show system setting ssl-decrypt certs
  B. show system setting ssl-decrypt certificate
  C. debug dataplane show ssl-decrypt ssl-stats
  D. show system setting ssl-decrypt certificate-cache
  B. show system setting ssl-decrypt certificate

  ---

  Explanation

• Question 325:

  Which states will a pair of firewalls be in if their HA Group ID is mismatched?

  A. Active/Non-functional
  B. Active/Passive
  C. Init/Init
  D. Active/Active
  A. Active/Non-functional

  ---

  Explanation

  https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/high-availability/ha-firewall-states

• Question 326:

  An administrator has configured a QoS policy rule and a QoS profile that limits the maximum allowable bandwidth for the YouTube application. However , YouTube is consuming more than the maximum bandwidth allotment configured. Which configuration step needs to be configured to enable QoS?

  A. Enable QoS Data Filtering Profile
  B. Enable QoS monitor
  C. Enable Qos interface
  D. Enable Qos in the interface Management Profile.
  C. Enable Qos interface

  ---

  Explanation

  https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-web-interface-help/network/network-qos/qos-interface-settings#

  https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/quality-of-service/configure-qos.html

  QoS implementation on a Palo Alto Networks firewall begins with three primary configuration components that support a full QoS solution: a QoS policy, a QoS Profile, and configuration of the QoS egress interface.

• Question 327:

  For which two reasons would a firewall discard a packet as part of the packet flow sequence? (Choose two )

  A. equal-cost multipath
  B. ingress processing errors
  C. rule match with action "allow"
  D. rule match with action "deny"
  B. ingress processing errors
  D. rule match with action "deny"

  ---

  Explanation

  https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClVHCA0 Denying traffic will discard the packet. Packets can also be discarded due to malformed or incorrect frames, datagrams or packets.

• Question 328:

  Which GlobalProtect component must be configured to enable Clientless VPN?

  A. GlobalProtect satellite
  B. GlobalProtect app
  C. GlobalProtect portal
  D. GlobalProtect gateway
  C. GlobalProtect portal

  ---

  Explanation

  Creating the GlobalProtect portal is as simple as letting it know if you have accessed it already. A new gateway for accessing the GlobalProtect portal will appear. Client authentication can be used with an existing one. https://www.nstec.com/how-to-configure-clientless-vpn-in-palo-alto/#5

• Question 329:

  An administrator configures two VPN tunnels to provide for failover and uninterrupted VPN service.

  What should an administrator configure to enable automatic failover to the backup tunnel?

  A. Replay Protection
  B. Zone Protection
  C. Tunnel Monitor
  D. Passive Mode
  C. Tunnel Monitor

  ---

  Explanation

• Question 330:

  In a security-first network, what is the recommended threshold value for apps and threats to be dynamically updated?

  A. 1 to 4 hours
  B. 6 to 12 hours
  C. 24 hours
  D. 36 hours
  B. 6 to 12 hours

  ---

  Explanation

  Schedule content updates so that they download-and-install automatically. Then, set a Threshold that determines the amount of time the firewall waits before installing the latest content. In a security-first network, schedule a six to twelve hour threshold.

  https://docs.paloaltonetworks.com/pan-os/11-0/pan-os-upgrade/software-and-content-updates/best-practices-for-app-and-threat-content-updates/best-practices-security-first