Palo Alto Networks PCNSE Online Practice Questions and Exam Preparation

Palo Alto Networks PCNSE Online Questions & Answers

• Question 331:

  An enterprise information Security team has deployed policies based on AD groups to restrict user access to critical infrastructure systems However a recent phisning campaign against the organization has prompted Information Security to look for more controls that can secure access to critical assets For users that need to access these systems Information Security wants to use PAN-OS multi-factor authentication (MFA) integration to enforce MFA.

  What should the enterprise do to use PAN-OS MFA1?

  A. Configure a Captive Porta1 authentication policy that uses an authentication profile that references a RADIUS profile
  B. Create an authentication profile and assign another authentication factor to be used by a Captive Portal authentication policy
  C. Configure a Captive Portal authentication policy that uses an authentication sequence
  D. Use a Credential Phishing agent to detect prevent and mitigate credential phishing campaigns
  B. Create an authentication profile and assign another authentication factor to be used by a Captive Portal authentication policy

  ---

  Explanation

  You should create an auth profile and use it in captive protal auth policy.

  https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/authentication/configure-multi-factor-authentication

• Question 332:

  Review the screenshot of the Certificates page.

  

  An administrator tor a small LLC has created a series of certificates as shown, to use tor a planned Decryption roll out The administrator has also installed the sell-signed root certificate A. The forward trust certificate has not been signed by the set-singed root CA certificate
  B. The self-signed CA certificate has the same CN as the forward trust and untrust certificates
  C. The forward untrust certificate has not been signed by the self-singed root CA certificate
  D. The forward trust certificate has not been installed in client systems

  A. The forward trust certificate has not been signed by the set-singed root CA certificate

  ---

  Explanation

  The cause of the unsecured website warnings is that the forward trust certificate has not been signed by the self-signed root CA certificate. The forward trust certificate is used by the firewall to generate a copy of the server certificate for outbound SSL decryption (SSL Forward Proxy). The firewall signs the copy with the forward trust certificate and presents it to the client. The client then verifies the signature using the public key of the CA that issued the forward trust certificate. If the client does not trust the CA, it will display a warning message. Therefore, the forward trust certificate must be signed by a CA that is trusted by the client. In this case, the administrator has installed the self-signed root CA certificate in all client systems, so this CA should be used to sign the forward trust certificate. However, as shown in the screenshot, the forward trust certificate has a different issuer than the self-signed root CA certificate, which means it has not been signed by it. This causes the client to reject the signature and show a warning message. To fix this issue, the administrator should generate a new forward trust certificate and sign it with the self-signed root CA certificate.

  References: Keys and Certificates for Decryption Policies, How to Configure SSL Decryption https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/decryption/configure-ssl-forward-proxy

• Question 333:

  Which is not a valid reason for receiving a decrypt-cert-validation error?

  A. Unsupported HSM
  B. Unknown certificate status
  C. Client authentication
  D. Untrusted issuer
  A. Unsupported HSM

  ---

  Explanation

  Per the link https://docs.paloaltonetworks.com/pan-os/7-1/pan-os-new-features/networking-features/ssl-ssh-session-end-reasons , receiving the decrypt-cert-validation error is valid for the following conditions: expired, untrusted issuer, unknown status, or status verification time-out. "Unsupported HSM" is not a valid reason for receiving a decrypt-cert-validation error.

• Question 334:

  Where is Palo Alto Networks Device Telemetry data stored on a firewall with a device certificate installed?

  A. Cortex Data Lake
  B. Panorama
  C. On Palo Alto Networks Update Servers
  D. M600 Log Collectors
  A. Cortex Data Lake

  ---

  Explanation

  The Device Telemetry data is stored on Cortex Data Lake3, which is a cloud-based service that collects and stores logs from your firewalls and other sources. Cortex Data Lake also enables you to analyze and visualize your data using various applications. To use Device Telemetry, you need to install a device certificate on your firewall3. This certificate authenticates your firewall to Cortex Data Lake and encrypts the data in transit.

• Question 335:

  A network security administrator wants to configure SSL inbound inspection.

  Which three components are necessary for inspecting the HTTPS traffic as it enters the firewall? (Choose three.)

  A. An SSL/TLS Service profile
  B. The web server's security certificate with the private key
  C. A Decryption profile
  D. A Decryption policy
  E. The client's security certificate with the private key
  B. The web server's security certificate with the private key
  C. A Decryption profile
  D. A Decryption policy

  ---

  Explanation

  https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/decryption/configure-ssl-inbound-inspection

• Question 336:

  Which Panorama feature protects logs against data loss if a Panorama server fails?

  A. Panorama HA automatically ensures that no logs are lost if a server fails inside the HA Cluster.
  B. Panorama Collector Group with Log Redundancy ensures that no logs are lost if a server fails inside the Collector Group.
  C. Panorama HA with Log Redundancy ensures that no logs are lost if a server fails inside the HA Cluster.
  D. Panorama Collector Group automatically ensures that no logs are lost if a server fails inside the Collector Group
  B. Panorama Collector Group with Log Redundancy ensures that no logs are lost if a server fails inside the Collector Group.

  ---

  Explanation

  "Log redundancy is available only if each Log Collector has the same number of logging disks." (Recommended) Enable log redundancy across collectors if you are adding multiple Log Collectors to a single Collector group. Redundancy ensures that no logs are lost if any one Log Collector becomes unavailable. Each log will have two copies and each copy will reside on a different Log Collector. For example, if you have two Log Collectors in the collector group the log is written to both Log Collectors. Enabling redundancy creates more logs and therefore requires more storage capacity, reducing storage capability in half. When a Collector Group runs out of space, it deletes older logs. Redundancy also doubles the log processing traffic in a Collector Group, which reduces its maximum logging rate by half, as each Log Collector must distribute a copy of each log it receives.

  https://docs.paloaltonetworks.com/panorama/11-0/panorama-admin/manage-log-collection/manage-collector-groups/configure-a-collector-group

• Question 337:

  A client is deploying a pair of PA-5000 series firewalls using High Availability (HA) in Active/Passive mode. Which statement is true about this deployment?

  A. The two devices must share a routable floating IP address
  B. The two devices may be different models within the PA-5000 series
  C. The HA1 IP address from each peer must be on a different subnet
  D. The management port may be used for a backup control connection
  D. The management port may be used for a backup control connection

  ---

  Explanation

• Question 338:

  A network security engineer wants to prevent resource-consumption issues on the firewall.

  Which strategy is consistent with decryption best practices to ensure consistent performance?

  A. Use RSA in a Decryption profile tor higher-priority and higher-risk traffic, and use less processor-intensive decryption methods for lower-risk traffic
  B. Use PFS in a Decryption profile for higher-priority and higher-risk traffic, and use less processor-intensive decryption methods for tower-risk traffic
  C. Use Decryption profiles to downgrade processor-intensive ciphers to ciphers that are less processor-intensive
  D. Use Decryption profiles to drop traffic that uses processor-intensive ciphers
  B. Use PFS in a Decryption profile for higher-priority and higher-risk traffic, and use less processor-intensive decryption methods for tower-risk traffic

  ---

  Explanation

  https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/decryption/prepare-to-deploy-decryption/size-the-decryption-firewall-deployment

• Question 339:

  DRAG DROP

  When using the predefined default profile, the policy will inspect for viruses on the decoders. Match each decoder with its default action. Answer options may be used more than once or not at all.

  Select and Place:

  

  

  Explanation

• Question 340:

  Which feature can provide NGFWs with User-ID mapping information?

  A. GlobalProtect
  B. Web Captcha
  C. Native 802.1q authentication
  D. Native 802.1x authentication
  A. GlobalProtect

  ---

  Explanation

  https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-admin/user-id/user-id-concepts/user-mapping.html