Palo Alto Networks PCNSE Online Practice Questions and Exam Preparation

Palo Alto Networks PCNSE Online Questions & Answers

• Question 361:

  An administrator discovers that a file blocked by the WildFire inline ML feature on the firewall is a false-positive action. How can the administrator create an exception for this particular file?

  A. Add partial hash and filename in the file section of the WildFire inline ML tab of the Antivirus profile.
  B. Set the WildFire inline ML action to allow for that protocol on the Antivirus profile.
  C. Add the related Threat ID in the Signature exceptions tab of the Antivirus profile.
  D. Disable the WildFire profile on the related Security policy.
  A. Add partial hash and filename in the file section of the WildFire inline ML tab of the Antivirus profile.

  ---

  Explanation

• Question 362:

  What are the differences between using a service versus using an application for Security Policy match?

  A. Use of a "service" enables the firewall to take action after enough packets allow for App-ID identification
  B. Use of a "service" enables the firewall to take immediate action with the first observed packet based on port numbers Use of an "application" allows the firewall to take action after enough packets allow for App-ID identification regardless of the ports being used.
  C. There are no differences between "service" or "application" Use of an "application" simplifies configuration by allowing use of a friendly application name instead of port numbers.
  D. Use of a "service" enables the firewall to take immediate action with the first observed packet based on port numbers. Use of an "application" allows the firewall to take immediate action it the port being used is a member of the application standard port list
  B. Use of a "service" enables the firewall to take immediate action with the first observed packet based on port numbers Use of an "application" allows the firewall to take action after enough packets allow for App-ID identification regardless of the ports being used.

  ---

  Explanation

  https://live.paloaltonetworks.com/t5/blogs/what-are-applications-and-services/ba-p/342508# A service on the Palo Alto Networks firewall is a TCP or UDP portes which port is open or closed and does not look beyond Layer 4. An application it

  goes into Layer 7 inspection to ascertain which application is active in a data flow and will enforce "normal" behavior onto it, DNS Query

  https://live.paloaltonetworks.com/t5/blogs/what-are-applications-and-services/ba-p/342508#

  Concept 1

  A service on the Palo Alto Networks firewall is a TCP or UDP port, as it would be defined on a traditional firewall or access list. It simply defines which port is open or closed and does not look beyond Layer 4.

  Concept 2

  An application is what makes the Palo Alto Networks next-generation firewall so powerful; it goes into Layer 7 inspection to ascertain which application is active in a data flow and will enforce "normal" behavior onto it (e.g., a session identified

  as DNS that suddenly sends an SQL query is abnormal and will be blocked).

• Question 363:

  Cortex XDR notifies an administrator about grayware on the endpoints.

  There are no entnes about grayware in any of the logs of the corresponding firewall.

  Which setting can the administrator configure on the firewall to log grayware verdicts?

  A. within the log settings option in the Device tab
  B. within the log forwarding profile attached to the Security policy rule
  C. in WildFire General Settings, select "Report Grayware Files"
  D. in Threat General Settings^ select "Report Grayware Files"
  C. in WildFire General Settings, select "Report Grayware Files"

  ---

  Explanation

• Question 364:

  

  What will be the source address in the ICMP packet?

  A. 10.30.0.93
  B. 10.46.72.93
  C. 10.46.64.94
  D. 192.168.93.1
  C. 10.46.64.94

  ---

  Explanation

• Question 365:

  An administrator has a requirement to export decrypted traffic from the Palo Alto Networks NGFW to a third-party, deep-level packet inspection appliance. Which interface type and license feature are necessary to meet the requirement?

  A. Decryption Mirror interface with the Threat Analysis license
  B. Virtual Wire interface with the Decryption Port Export license
  C. Tap interface with the Decryption Port Mirror license
  D. Decryption Mirror interface with the associated Decryption Port Mirror license
  D. Decryption Mirror interface with the associated Decryption Port Mirror license

  ---

  Explanation

  https://www.paloaltonetworks.com/documentation/71/pan-os/pan-os/decryption/decryption-mirroring

  "Before you can enable Decryption Mirroring, you must obtain and install a Decryption Port Mirror license. The license is free of charge and can be activated through the support portal as described in the following procedure. After you install the Decryption Port Mirror license and reboot the firewall, you can enable decryption port mirroring. "

• Question 366:

  After configuring HA in Active/Passive mode on a pair of firewalls the administrator gets a failed commit with the following details.

  

  What are two explanations for this type of issue? (Choose two)

  A. The peer IP is not included in the permit list on Management Interface Settings
  B. The Backup Peer HA1 IP Address was not configured when the commit was issued
  C. Either management or a data-plane interface is used as HA1-backup
  D. One of the firewalls has gone into the suspended state
  B. The Backup Peer HA1 IP Address was not configured when the commit was issued
  C. Either management or a data-plane interface is used as HA1-backup

  ---

  Explanation

  Cause The issue is seen when the HA1-backup is configured with either management (MGT) or an in-band interface. The "Backup Peer HA1 IP Address" is not configured : https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u0000008UmPCA Uandlang=en_US%E2%80%A9

• Question 367:

  Before an administrator of a VM-500 can enable DoS and zone protection, what actions need to be taken?

  A. Measure and monitor the CPU consumption of the firewall data plane to ensure that each firewall is properly sized to support DoS and zone protection
  B. Create a zone protection profile with flood protection configured to defend an entire egress zone against SYN. ICMP ICMPv6, UDP. and other IP flood attacks
  C. Add a WildFire subscription to activate DoS and zone protection features
  D. Replace the hardware firewall because DoS and zone protection are not available with VM-Series systems
  A. Measure and monitor the CPU consumption of the firewall data plane to ensure that each firewall is properly sized to support DoS and zone protection

  ---

  Explanation

  1 -https://docs.paloaltonetworks.com/best-practices/8-1/dos-and-zone-protection-best-practices/dos-and-zone-protection-best-practices/deploy-dos-and-zone-protection-using-best-practices.html#:~:text=DoS%20and%20Zone%20Protection%20help,device%20at%20the%20internet%20perimeter.

  2 -https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-admin/zone-protection-and-dos-protection/zone-defense/take-baseline-cps-measurements-for-setting-flood-thresholds/how-to-measure-cps.html

  3 -https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/zone-protection-and-dos-protection.html

• Question 368:

  A client has a sensitive application server in their data center and is particularly concerned about session flooding because of denial of-service attacks.

  How can the Palo Alto Networks NGFW be configured to specifically protect this server against session floods originating from a single IP address?

  A. Define a custom App-ID to ensure that only legitimate application traffic reaches the server
  B. Add QoS Profiles to throttle incoming requests
  C. Add a tuned DoS Protection Profile
  D. Add an Anti-Spyware Profile to block attacking IP address
  C. Add a tuned DoS Protection Profile

  ---

  Explanation

  https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClmTCAS DoS Protection Profiles set the protection thresholds to provide DoS protection against flooding of new sessions for IP floods (CPS limits) to provide resource protection (maximum concurrent session limits for specified endpoints and resources) and to configure whether the profile applies to aggregate or classified traffic. DoS Protection policy rules control where to apply DoS protection and which action to take when traffic matches the criteria defined in the rule.Unlike a Zone Protection Profile, which protects only the ingress zone, DoS Protection Profiles and policy rules can protect specific resources inside a zone and traffic flowing between different endpoints and areas. Unlike the case with a Zone Protection Profile, which supports only aggregate traffic, you can configure aggregate or classified DoS Protection Profiles and policy rules.

• Question 369:

  Which two features require another license on the NGFW? (Choose two.)

  A. SSL Inbound Inspection
  B. SSL Forward Proxy
  C. Decryption Mirror
  D. Decryption Broker
  C. Decryption Mirror
  D. Decryption Broker

  ---

  Explanation

• Question 370:

  Refer to the diagram.

  

  An administrator needs to create an address object that will be useable by the NYC. MA, CA and WA device groups.

  Where will the object need to be created within the device-group hierarchy?

  A. Americas
  B. US
  C. East
  D. West
  A. Americas

  ---

  Explanation