Palo Alto Networks Palo Alto Networks Certifications PCNSE Questions & Answers

• Question 331:

  An engineer is deploying multiple firewalls with common configuration in Panorama. What are two benefits of using nested device groups? (Choose two.)

  A. Inherit settings from the Shared group

  B. Inherit IPSec crypto profiles

  C. Inherit all Security policy rules and objects

  D. Inherit parent Security policy rules and objects

  Correct Answer: AD

  https://docs.paloaltonetworks.com/panorama/9-1/panorama-admin/panorama- overview/centralized-firewall-configuration-and-update-management/device-groups/device- group-hierarchy

• Question 332:

  An administrator Just enabled HA Heartbeat Backup on two devices However, the status on tie firewall's dashboard is showing as down High Availability.

  

  What could an administrator do to troubleshoot the issue?

  A. Goto Device > High Availability> General > HA Pair Settings > Setup and configuring the peer IP for heartbeat backup

  B. Check peer IP address In the permit list In Device > Setup > Management > Interfaces > Management Interface Settings

  C. Go to Device > High Availability > HA Communications> General> and check the Heartbeat Backup under Election Settings

  D. Check peer IP address for heartbeat backup to Device > High Availability > HA Communications > Packet Forwarding settings.

  Correct Answer: B

  If the HA status is showing as down after enabling HA Heartbeat Backup on two devices, an administrator could troubleshoot the issue by checking the peer IP address in the permit list in Device > Setup > Management > Interfaces >

  Management Interface Settings. This is described in the Palo Alto Networks PCNSE Study Guide in Chapter 7:

  High Availability, under the section "Configure Heartbeat Backup for Redundancy":

  "Verify that the management interface's permitted IP addresses on each peer includes the IP address of the other peer's Heartbeat Backup interface."

• Question 333:

  An engineer is tasked with configuring SSL forward proxy for traffic going to external sites. Which of the following statements is consistent with SSL decryption best practices?

  A. The forward trust certificate should not be stored on an HSM.

  B. The forward untrust certificate should be signed by a certificate authority that is trusted by the clients.

  C. Check both the Forward Trust and Forward Untrust boxes when adding a certificate for use with SSL decryption

  D. The forward untrust certificate should not be signed by a Trusted Root CA

  Correct Answer: B

  According to the PCNSE Study Guide1, SSL forward proxy is a feature that allows the firewall to decrypt and inspect SSL traffic going to external sites. The firewall acts as a proxy between the client and the server, generating a certificate on

  the fly for each site.

  The best practices for configuring SSL forward proxy are23:

  Use a forward trust certificate that is signed by a certificate authority (CA) that is trusted by the clients. This certificate is used to sign certificates for sites that have valid certificates from trusted CAs. The clients will not see any certificate errors

  if they trust the forward trust certificate.

  Use a forward untrust certificate that is not signed by a trusted CA. This certificate is used to sign certificates for sites that have invalid or untrusted certificates. The clients will see certificate errors if they do not trust the forward untrust

  certificate. This helps alert users of potential risks and prevent man-in-the-middle attacks. Do not store the forward trust or untrust certificates on an HSM (hardware security module). The HSM does not support on-the-fly signing of certificates,

  which is required for SSL forward proxy.

• Question 334:

  What steps should a user take to increase the NAT oversubscription rate from the default platform setting?

  A. Navigate to Device > Setup > TCP Settings > NAT Oversubscription Rate

  B. Navigate to Policies > NAT > Destination Address Translation > Dynamic IP (with session distribution)

  C. Navigate to Policies > NAT > Source Address Translation > Dynamic IP (with session distribution)

  D. Navigate to Device > Setup > Session Settings > NAT Oversubscription Rate

  Correct Answer: D

  NAT oversubscription is a feature that allows you to reuse a translated IP address and port for multiple source devices. This can help you conserve public IP addresses and increase the number of sessions that can be translated by a NAT rule.

• Question 335:

  What is the best definition of the Heartbeat Interval?

  A. The interval in milliseconds between hello packets

  B. The frequency at which the HA peers check link or path availability

  C. The frequency at which the HA peers exchange ping

  D. The interval during which the firewall will remain active following a link monitor failure

  Correct Answer: C

  The firewalls exchange hello messages and heartbeats at configurable intervals to verify that the peer firewall is responsive and operational. Hello messages are sent from one peer to the other to verify the state of the firewall. The heartbeat is an ICMP ping to the HA peer. A response from the peer indicates that the firewalls are connected and responsive.

  "A "heartbeat-interval" CLI command was added to the election settings for HA, this interval has a 1000ms minimum for all Palo Alto Networks platforms and is an ICMP ping to the other device through the HA control link." https:// knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClMaCAK

• Question 336:

  A network engineer troubleshoots a VPN Phase 2 mismatch and decides that PFS (Perfect Forward Secrecy) needs to be enabled.

  What action should the engineer take?

  A. Add an authentication algorithm in the IPSec Crypto profile.

  B. Enable PFS under the IPSec Tunnel advanced options.

  C. Select the appropriate DH Group under the IPSec Crypto profile.

  D. Enable PFS under the IKE gateway advanced options

  Correct Answer: C

  PFS (Perfect Forward Secrecy) is a feature that ensures that the encryption keys used for each IPSec session are not derived from previous keys. This provides more security in case one key is compromised. To enable PFS, the administrator needs to select the appropriate DH (Diffie-Hellman) Group under the IPSec Crypto profile that is applied to the IPSec tunnel. The DH Group determines the strength of the key exchange and should match on both ends of the tunnel1. The other options do not enable PFS. The authentication algorithm in the IPSec Crypto profile is used to verify the integrity of the IPSec packets. The PFS option under the IPSec Tunnel advanced options or the IKE gateway advanced options does not exist in the WebUI.

  References: https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/vpn/site-to-site-vpn/configure-the-ipsec-crypto-profile

• Question 337:

  How should an administrator enable the Advance Routing Engine on a Palo Alto Networks firewall?

  A. Enable Advanced Routing Engine in Device > Setup > Session > Session Settings, then commit and reboot.

  B. Enable Advanced Routing in Network > Virtual Routers > Redistribution Profiles and then commit.

  C. Enable Advanced Routing in Network > Virtual Routers > Router Settings > General, then commit and reboot.

  D. Enable Advanced Routing in General Settings of Device > Setup > Management, then commit and reboot

  Correct Answer: D

  https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-networking-admin/advanced-routing/enable-advanced-routing

• Question 338:

  An engineer decides to use Panorama to upgrade devices to PAN-OS 10.2.

  Which three platforms support PAN-OS 10 2? (Choose three.)

  A. PA-5000 Series

  B. PA-500

  C. PA-800 Series

  D. PA-220

  E. PA-3400 Series

  Correct Answer: CDE

  According to the Palo Alto Networks Compatibility Matrix1, the three platforms that support PAN-OS 10.2 are: PA-800 Series2 PA-2202 PA-3400 Series2 The PA-5000 Series and PA-500 do not support PAN-OS 10.22. To upgrade devices to PAN-OS 10.2 using Panorama, you need to determine the upgrade path3, upgrade Panorama itself4, and then upgrade the firewalls using Panorama5.

• Question 339:

  Which three methods are supported for split tunneling in the GlobalProtect Gateway? (Choose three.)

  A. Video Streaming Application

  B. Destination Domain

  C. Client Application Process

  D. Source Domain

  E. URL Category

  Correct Answer: BCE

  The GlobalProtect Gateway supports three methods for split tunneling:

  Access Route -- You can define a list of IP addresses or subnets that are accessible through the VPN tunnel. All other traffic goes directly to the internet. Domain and Application -- You can define a list of domains or applications that are

  accessible through the VPN tunnel. All other traffic goes directly to the internet. You can also use this method to exclude specific domains or applications from the VPN tunnel. Video Traffic -- You can exclude video streaming traffic from the

  VPN tunnel based on predefined categories or custom URLs. This method reduces latency and jitter for video streaming applications.

• Question 340:

  An administrator has configured OSPF with Advanced Routing enabled on a Palo Alto Networks firewall running PAN-OS 10.2. After OSPF was configured, the administrator noticed that OSPF routes were not being learned.

  Which two actions could an administrator take to troubleshoot this issue? (Choose two.)

  A. Run the CLI command show advanced-routing ospf neighbor

  B. In the WebUl, view the Runtime Stats in the logical router.

  C. In the WebUl, view the Runtime Stats in the virtual router.

  D. Look for configuration problems in Network > virtual router > OSPF

  Correct Answer: AC

  https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-web-interface-help/network/network-virtual-routers/more-runtime-stats-for-a-logical-router#id5628a5e4-e908-457e-a2fd-270a476ab752 https://docs.paloaltonetworks.com/pan-os/10-2/ pan-os-cli-quick-start/cli-cheat-sheets/cli-cheat-sheet-networking