Palo Alto Networks Palo Alto Networks Certifications PCNSE Questions & Answers

• Question 341:

  A network security administrator has been tasked with deploying User-ID in their organization.

  What are three valid methods of collecting User-ID information in a network? (Choose three.)

  A. Windows User-ID agent

  B. GlobalProtect

  C. XMLAPI

  D. External dynamic list

  E. Dynamic user groups

  Correct Answer: ABC

  User-ID is a feature that enables the firewall to identify users and groups based on their IP addresses, usernames, or other attributes. There are three valid methods of collecting User-ID information in a network:

  Windows User-ID agent: This is a software agent that runs on a Windows server and collects user mapping information from Active Directory, Exchange servers, or other sources. GlobalProtect: This is a VPN solution that provides secure

  remote access for users and devices. It also collects user mapping information from endpoints that connect to the firewall using GlobalProtect. XMLAPI: This is an application programming interface that allows third-party applications or scripts

  to send user mapping information to the firewall using XML format.

• Question 342:

  After importing a pre-configured firewall configuration to Panorama, what step is required to ensure a commit/push is successful without duplicating local configurations?

  A. Ensure Force Template Values is checked when pushing configuration.

  B. Push the Template first, then push Device Group to the newly managed firewal.

  C. Perform the Export or push Device Config Bundle to the newly managed firewall.

  D. Push the Device Group first, then push Template to the newly managed firewall

  Correct Answer: C

  When importing a pre-configured firewall configuration to Panorama, you need to perform the following steps12: Add the serial number of the firewall under Panorama > Managed Devices In Panorama, import the firewall's configuration bundle under Panorama > Setup > Operations > Import device configuration to Panorama Make changes to the imported firewall configuration within Panorama Commit the changes you made to Panorama Perform an Export or push Device Config Bundle operation under Panorama > Setup > Operations The Export or push Device Config Bundle operation allows you to push a complete configuration bundle from Panorama to a managed firewall without duplicating local configurations3. This operation ensures that any local settings on the firewall are preserved and merged with the settings from Panorama.

• Question 343:

  Which three multi-factor authentication methods can be used to authenticate access to the firewall? (Choose three.)

  A. One-time password

  B. User certificate

  C. Voice

  D. SMS

  E. Fingerprint

  Correct Answer: ABD

  The firewall can use three multi-factor authentication methods to authenticate access to the firewall: SMS, user certificate, and one-time password. These methods can be used in combination with other authentication factors, such as username and password, to provide stronger security for accessing the firewall web interface or CLI. The firewall can integrate with various MFA vendors that support these methods through RADIUS or SAML protocols. Voice and fingerprint are not supported by the firewall as MFA methods. References: MFA Vendor Support, PCNSE Study Guide (page 48)

• Question 344:

  The profile is configured to provide granular defense against targeted flood attacks for specific critical systems that are accessed by users from the internet.

  Which profile is the engineer configuring?

  A. Vulnerability Protection

  B. DoS Protection

  C. Packet Buffer Protection

  D. Zone Protection

  Correct Answer: B

  The engineer is configuring a DoS Protection profile to defend specific endpoints and resources against malicious activity. A DoS Protection profile is a feature that enables the firewall to detect and prevent denial-of-service (DoS) attacks that attempt to overwhelm network resources or disrupt services. A DoS Protection profile can provide granular defense against targeted flood attacks for specific critical systems that are accessed by users from the internet, such as web servers, DNS servers, or VPN gateways. A DoS Protection profile can be applied to a security policy rule that matches the traffic to and from the protected systems, and can specify the thresholds and actions for different types of flood attacks, such as SYN, UDP, ICMP, or other IP floods12. References: DoS Protection, PCNSE Study Guide (page 58) https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/zone-protection-and-dos-protection/zone-defense/dos-protection-profiles-and-policy-rules

• Question 345:

  Which states will a pair of firewalls be in if their HA Group ID is mismatched?

  A. Active/Non-functional

  B. Active/Passive

  C. Init/Init

  D. Active/Active

  Correct Answer: A

  https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/high-availability/ha-firewall-states

• Question 346:

  An engineer troubleshooting a site-to-site VPN finds a Security policy dropping the peer's IKE traffic at the edge firewall. Both VPN peers are behind a NAT, and NAT-T is enabled.

  How can the engineer remediate this issue?

  A. Add a Security policy to allow UDP/500.

  B. Add a Security policy to allow the IKE application.

  C. Add a Security policy to allow the IPSec application.

  D. Add a Security policy to allow UDP/4501.

  Correct Answer: C

  https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClFRCA0 The ipsec application contains the following sub-apps:

  ike ipsec-ah ipsec-esp ipsec-esp-udp(NAT-T) The sub-apps above are allowed implicitly when the ipsec application is configured as allowed.

• Question 347:

  A network security engineer needs to enable Zone Protection in an environment that makes use of Cisco TrustSec Layer 2 protections.

  What should the engineer configure within a Zone Protection profile to ensure that the TrustSec packets are identified and actions are taken upon them?

  A. Stream ID in the IP Option Drop options

  B. Record Route in IP Option Drop options

  C. Ethernet SGT Protection

  D. TCP Fast Open in the Strip TCP options

  Correct Answer: C

  Cisco TrustSec technology uses Security Group Tags (SGTs) to enforce access controls on Layer 2 traffic. When implementing Zone Protection on a Palo Alto Networks firewall in an environment with Cisco TrustSec, you should configure Ethernet SGT Protection. This setting ensures that the firewall can recognize SGTs in Ethernet frames and apply the appropriate actions based on the configured policies.The use of Ethernet SGT Protection in conjunction with TrustSec is covered in advanced firewall configuration documentation and in interoperability guides between Palo Alto Networks and Cisco systems.

• Question 348:

  A Panorama administrator configures a new zone and uses the zone in a new Security policy.

  After the administrator commits the configuration to Panorama, which device-group commit push operation should the administrator use to ensure that the push is successful?

  A. force template values

  B. merge with candidate config

  C. specify the template as a reference template

  D. include device and network templates

  Correct Answer: D

• Question 349:

  A firewall has Security policies from three sources

  1.

  locally created policies

  2.

  shared device group policies as pre-rules

  3.

  the firewall's device group as post-rules

  How will the rule order populate once pushed to the firewall?

  A. shared device group policies, firewall device group policies. local policies.

  B. firewall device group policies, local policies. shared device group policies

  C. shared device group policies. local policies, firewall device group policies

  D. local policies, firewall device group policies, shared device group policies

  Correct Answer: C

• Question 350:

  WildFire will submit for analysis blocked files that match which profile settings?

  A. files matching Anti-Spyware signatures

  B. files that are blocked by URL filtering

  C. files that are blocked by a File Blocking profile

  D. files matching Anti-Virus signatures

  Correct Answer: D

  https://docs.paloaltonetworks.com/wildfire/u-v/wildfire-whats-new/latest-wildfire-cloud-features/wildfire-analysis-of-blocked-files