Palo Alto Networks PCNSE Online Practice Questions and Exam Preparation

Palo Alto Networks PCNSE Online Questions & Answers

• Question 341:

  Which two statements are true for the DNS Security service? (Choose two.)

  A. It eliminates the need for dynamic DNS updates
  B. It functions like PAN-DB and requires activation through the app portal
  C. It removes the 100K limit for DNS entries for the downloaded DNS updates
  D. It is automatically enabled and configured
  A. It eliminates the need for dynamic DNS updates
  B. It functions like PAN-DB and requires activation through the app portal

  ---

  Explanation

  https://docs.paloaltonetworks.com/dns-security.html

• Question 342:

  Which three items must be configured to implement application override? (Choose three )

  A. Custom app
  B. Security policy rule
  C. Application override policy rule
  D. Decryption policy rule
  E. Application filter
  A. Custom app
  B. Security policy rule
  C. Application override policy rule

  ---

  Explanation

  According to the Palo Alto Networks documentation1, application override is where the firewall is configured to override the normal application identification (App-ID) of specific traffic passing through the firewall. To implement application override, the following items must be configured: Custom app: This is a user-defined application that is used to identify the traffic that needs to be overridden. It is recommended to create a custom app for the application override policy, rather than using a predefined app that may have different default ports and threat inspection capabilities2. Security policy rule: This is a rule that allows the traffic that matches the custom app through the firewall. The security policy rule must use the custom app as the application filter and specify the source and destination zones, addresses, and users as needed2. Application override policy rule: This is a rule that defines the criteria for overriding the App-ID of the traffic. The application override policy rule must use the custom app as the application filter and specify the source and destination zones, addresses, ports, and protocols as needed2. The other options are not required or relevant for implementing application override: Decryption policy rule: This is a rule that defines the criteria for decrypting encrypted traffic. It is not related to application override, although decryption may be needed to identify some applications that use encryption. Application filter: This is an object that groups applications based on various criteria, such as category, subcategory, technology, or risk. It is not an item that must be configured for application override, although it can be used as a reference in security policy rules or custom apps.

  References: https://live.paloaltonetworks.com/t5/blogs/tips-amp-tricks-how-to-create-an-application-override/ba-p/451872 https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClVLCA0 https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/decryption/decryption-concepts/how-decryption-works https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/app-id/manage-custom-or-unknown-applications/create-an-application-filter

• Question 343:

  Which three firewall multi-factor authentication factors are supported by PAN-OS? (Choose three)

  A. SSH key
  B. User logon
  C. Short message service
  D. One-Time Password
  E. Push
  C. Short message service
  D. One-Time Password
  E. Push

  ---

  Explanation

  https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/authentication/authentication-types/multi-factor-authentication

• Question 344:

  Refer to the screenshots.

  

  Without the ability to use Context Switch, where do admin accounts need to be configured in order to provide admin access to Panorama and to the managed devices?

  A. The Panorama section overrides the Device section. The accounts need to be configured only in the Panorama section.
  B. The sections are independent. The accounts need to be configured in both the Device and Panorama sections.
  C. The Device section overrides Panorama section. The accounts need to be configured only in the Device section.
  D. Configuration in the sections is merged together. The accounts need to be configured in either section.
  B. The sections are independent. The accounts need to be configured in both the Device and Panorama sections.

  ---

  Explanation

  https://docs.paloaltonetworks.com/panorama/10-1/panorama-admin/panorama-overview/centralized-firewall-configuration-and-update-management/context-switchfirewall-or-panorama

• Question 345:

  Based on the screenshots above, and with no configuration inside the Template Stack itself, what access will the device permit on its Management port?

  

  

  A. The firewall will allow HTTP, Telnet, HTTPS, SSH, and Ping from IP addresses defined as $permitted-subnet-2.
  B. The firewall will allow HTTP, Telnet, HTTPS, SSH, and Ping from IP addresses defined as $permitted-subnet-1 and Spermitted-subnet-2.
  C. The firewall will allow HTTP, Telnet, HTTPS, SSH, and Ping from IP addresses defined as $permitted-subnet-1.
  D. The firewall will allow HTTP, Telnet, SNMP, HTTPS, SSH, and Ping from IP addresses defined as $permitted-subnet-1l and $permitted-subnet-2.
  C. The firewall will allow HTTP, Telnet, HTTPS, SSH, and Ping from IP addresses defined as $permitted-subnet-1.

  ---

  Explanation

  "-Force Template Value will as the name suggest remove any local configuratio and apply the value define the panorama template. But this is valid only for overlapping configuration" "You need to be careful, what is actually defined in the template. For example -if you decide to enable HA in the template, but after that you decide to not push it with template and just disable it again (remove the check from the "Enable HA" checkbox). This still will be part of the template, because now your template is explicitely defining HA disabled. If you made a change in the template, and later decide that you don't want to control this setting with template, you need to revert the config by clicking the green bar next to the changed value" https://live.paloaltonetworks.com/t5/panorama-discussions/panorama-force-template-value-option/td-p/496620

• Question 346:

  An administrator wants to upgrade a firewall HA pair to PAN-OS 10.1 The firewalls are currently running PAN-OS 8.1.17. Which upgrade path maintains synchronization of the HA session (and prevents network outage)?

  A. Upgrade directly to the target major version
  B. Upgrade one major version at a time
  C. Upgrade the HA pair to a base image
  D. Upgrade two major versions at a time
  B. Upgrade one major version at a time

  ---

  Explanation

  When you upgrade from one PAN-OS feature release version to a later feature release, you cannot skip the installation of any feature release versions in the path to your target release. In addition, the recommended upgrade path includes installing the latest maintenance release in each release version before you install the base image for the next feature release version. https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-upgrade/upgrade-pan-os/upgrade-the-firewall-panos/determine-the-upgrade-path.html

• Question 347:

  What is a correct statement regarding administrative authentication using external services with a local authorization method?

  A. Prior to PAN-OS 10.2. an administrator used the firewall to manage role assignments, but access domains have not been supported by this method.
  B. Starting with PAN-OS 10.2. an administrator needs to configure Cloud Identity Engine to use external authentication services for administrative authentication.
  C. The administrative accounts you define locally on the firewall serve as references to the accounts defined on an external authentication server.
  D. The administrative accounts you define on an external authentication server serve as references to the accounts defined locally on the firewall.
  C. The administrative accounts you define locally on the firewall serve as references to the accounts defined on an external authentication server.

  ---

  Explanation

  The administrative accounts you define locally on the firewall serve as references to the accounts defined on an external Multi-Factor Authentication, SAML, Kerberos, TACACS+, RADIUS, or LDAP server. https://docs.paloaltonetworks.com/ pan-os/9-1/pan-os-admin/firewall-administration/manage-firewall-administrators/administrative-authentication

• Question 348:

  What should an engineer consider when setting up the DNS proxy for web proxy?

  A. A secondary DNS server in the DNS proxy is optional, and configuration commit to the firewall will succeed with only one DNS server.
  B. A maximum of two FQDNs can be mapped to an IP address in the static entries for DNS proxy.
  C. DNS timeout for web proxy can be configured manually, and it should be set to the highest value possible.
  D. Adjust the UDP queries for the DNS proxy to allow both DNS servers to be tried within 20 seconds.
  A. A secondary DNS server in the DNS proxy is optional, and configuration commit to the firewall will succeed with only one DNS server.

  ---

  Explanation

• Question 349:

  An administrator connects a new fiber cable and transceiver Ethernet1/1 on a Palo Alto Networks firewall. However, the link does not come up.

  How can the administrator troubleshoot to confirm the transceiver type, tx-power, rxpower, vendor name, and part number by using the CLI?

  A. show chassis status slot s1
  B. show s/stem state filter ethernet1/1
  C. show s/stem state filter sw.dev interface config
  D. show s/stem state filter-pretty sys.sl*
  D. show s/stem state filter-pretty sys.sl*

  ---

  Explanation

• Question 350:

  Which two logs on the firewall will contain authentication-related information useful for troubleshooting purpose? (Choose two)

  A. ms.log
  B. traffic.log
  C. system.log
  D. dp-monitor.log
  E. authd.log
  C. system.log
  E. authd.log

  ---

  Explanation