Palo Alto Networks PCNSE Online Practice Questions and Exam Preparation

Palo Alto Networks PCNSE Online Questions & Answers

• Question 351:

  Forwarding of which two log types is configured in Objects -> Log Forwarding? (Choose two)

  A. GlobalProtect
  B. Authentication
  C. User-ID
  D. WildFire
  B. Authentication
  C. User-ID

  ---

  Explanation

  In PAN-OS, the Log Forwarding object under Objects configures forwarding for Authentication (Option B) and User-ID (Option C) logs, among others, to external systems (e.g., syslog servers).

  PAN-OS 11.2 Administrator's Guide, "Objects" section -Log Forwarding Configuration.

• Question 352:

  Given the following table.

  

  Which configuration change on the firewall would cause it to use 10.66.24.88 as the next hop for the 192.168.93.0/30 network?

  A. Configuring the administrative Distance for RIP to be lower than that of OSPF Int.
  B. Configuring the metric for RIP to be higher than that of OSPF Int.
  C. Configuring the administrative Distance for RIP to be higher than that of OSPF Ext.
  D. Configuring the metric for RIP to be lower than that OSPF Ext.
  A. Configuring the administrative Distance for RIP to be lower than that of OSPF Int.

  ---

  Explanation

• Question 353:

  Which two mechanisms help prevent a spilt brain scenario an Active/Passive High Availability (HA) pair? (Choose two)

  A. Configure the management interface as HA3 Backup
  B. Configure Ethernet 1/1 as HA1 Backup
  C. Configure Ethernet 1/1 as HA2 Backup
  D. Configure the management interface as HA2 Backup
  E. Configure the management interface as HA1 Backup
  F. Configure ethernet1/1 as HA3 Backup
  B. Configure Ethernet 1/1 as HA1 Backup
  E. Configure the management interface as HA1 Backup

  ---

  Explanation

• Question 354:

  Refer to the exhibit.

  

  Which certificate can be used as the Forward Trust certificate?

  A. Domain Sub-CA
  B. Domain-Root-Cert
  C. Certificate from Default Trusted Certificate Authorities
  D. Forward-Trust
  A. Domain Sub-CA

  ---

  Explanation

• Question 355:

  What happens when the log forwarding built-in action with tagging is used?

  A. Selected logs are forwarded to the Azure Security Center.
  B. Destination zones of selected unwanted traffic are blocked.
  C. Destination IP addresses of selected unwanted traffic are blocked.
  D. Selected unwanted traffic source zones are blocked.
  A. Selected logs are forwarded to the Azure Security Center.

  ---

  Explanation

• Question 356:

  After switching to a different WAN connection, users have reported that various websites will not load, and timeouts are occurring. The web servers work fine from other locations.

  The firewall engineer discovers that some return traffic from these web servers is not reaching the users behind the firewall. The engineer later concludes that the maximum transmission unit (MTU) on an upstream router interface is set to

  1400 bytes.

  The engineer reviews the following CLI output for ethernet1/1.

  

  Which setting should be modified on ethernet1/1 to remedy this problem?

  A. Change the subnet mask from /23 to /24.
  B. Lower the interface MTU value below 1500.
  C. Adjust the TCP maximum segment size (MSS) value.
  D. Enable the Ignore IPv4 Don't Fragment (DF) setting.
  C. Adjust the TCP maximum segment size (MSS) value.

  ---

  Explanation

  Please note that even though adjusting the MSS value on the PA firewall solves the issue, the issue is not caused by the Firewall. The issue is caused by other hosts in the path that have lower MTU setting.

• Question 357:

  In an existing deployment, an administrator with numerous firewalls and Panorama does not see any WildFire logs in Panorama.

  Each firewall has an active WildFire subscription On each firewall. WildFire togs are available.

  This issue is occurring because forwarding of which type of logs from the firewalls to Panorama is missing?

  A. Threat logs
  B. Traffic togs
  C. System logs
  D. WildFire logs
  A. Threat logs

  ---

  Explanation

  Access to the WildFire logs from Panorama requires the following: a WildFire subscription, a File Blocking profile that is attached to a Security rule, and Threat log forwarding to Panorama. https://docs.paloaltonetworks.com/panorama/10-2/ panorama-admin/monitor-network-activity/use-case-respond-to-an-incident-using-panorama/review-wildfire-logs

• Question 358:

  An administrator has been tasked with configuring decryption policies, Which decryption best practice should they consider?

  A. Consider the local, legal, and regulatory implications and how they affect which traffic can be decrypted.
  B. Decrypt all traffic that traverses the firewall so that it can be scanned for threats.
  C. Place firewalls where administrators can opt to bypass the firewall when needed.
  D. Create forward proxy decryption rules without Decryption profiles for unsanctioned applications.
  A. Consider the local, legal, and regulatory implications and how they affect which traffic can be decrypted.

  ---

  Explanation

  The best decryption best practice that the administrator should consider is A: Consider the local, legal, and regulatory implications and how they affect which traffic can be decrypted. This is because decryption involves intercepting and inspecting encrypted traffic, which may raise privacy and compliance issues depending on the jurisdiction and the type of traffic1. Therefore, the administrator should be aware of the local, legal, and regulatory implications and how they affect which traffic can be decrypted, and follow the appropriate guidelines and policies to ensure that decryption is done in a lawful and ethical manner1.

• Question 359:

  A host attached to ethernet1/3 cannot access the internet. The default gateway is attached to ethernet1/4. After troubleshooting. It is determined that traffic cannot pass from the ethernet1/3 to ethernet1/4. What can be the cause of the problem?

  A. DHCP has been set to Auto.
  B. Interface ethernet1/3 is in Layer 2 mode and interface ethernet1/4 is in Layer 3 mode.
  C. Interface ethernet1/3 and ethernet1/4 are in Virtual Wire Mode.
  D. DNS has not been properly configured on the firewall
  B. Interface ethernet1/3 is in Layer 2 mode and interface ethernet1/4 is in Layer 3 mode.

  ---

  Explanation

• Question 360:

  Certain services in a customer implementation are not working, including Palo Alto Networks Dynamic version updates. Which CLI command can the firewall administrator use to verify if the service routes were correctly installed and that they are active in the Management Plane?

  A. debug dataplane internal vif route 255
  B. show routing route type management
  C. debug dataplane internal vif route 250
  D. show routing route type service-route
  C. debug dataplane internal vif route 250

  ---

  Explanation

  When troubleshooting Palo Alto Networks services, such as dynamic updates, verifying the status of service routes is critical. Service routes determine how the firewall communicates with external services (e.g., Palo Alto Networks update

  servers, WildFire, DNS, etc.) from the Management Plane or data plane interfaces.

  Why "debug dataplane internal vif route 250" is Correct Purpose of the Command:

  Output:

  Analysis of Other Options

  debug dataplane internal vif route 255

  show routing route type management

  debug dataplane internal vif route 250

  show routing route type service-route

  PAN-OS Documentation Reference

  Service Routes in PAN-OS 11.0:

  For more details, refer to:

  PAN-OS 11.0 CLI Guide: Covers debugging tools and service route verification. PCNSA Study Guide: Domain 1 includes service route configurations and their importance in maintaining connectivity for management services.