Palo Alto Networks Palo Alto Networks Certifications PCNSE Questions & Answers

• Question 31:

  A user at an external system with the IP address 65.124.57.5 queries the DNS server at 4. 2.2.2 for the IP address of the web server, www,xyz.com. The DNS server returns an address of 172.16.15.1

  In order to reach Ire web server, which Security rule and NAT rule must be configured on the firewall?

  

  A. NAT Rule: Untrust-L3 (any) - Untrust-L3 (172.16.15.1) Destination Translation: 192.168.15.47 Security Rule: Untrust-L3 (any) - Trust-L3 (172.16.15.1) - Application: Web-browsing

  B. NAT Rule: Untrust-L3 (any) - Trust-L3 (172.16.15.1) Destination Translation: 192.168.15.47 Security Rule: Untrust-L3 (any) - Trust-L3 (192.168.15.47) - Application: Web-browsing

  C. NAT Rule: Untrust-L3 (any) - Trust-L3 (172.16.15.1) Destination Translation: 192.168.15.47 Security Rule: Untrust-L3 (any) - Trust-L3 (172.16.15.1) - Application: Web-browsing

  D. NAT Rule: Untrust-L3 (any) - Untrust-L3 (any) Destination Translation: 192.168.15.1 Security Rule: Untrust-L3 (any) - Trust-L3 (172.16.15.1) - Application: Web-browsing

  Correct Answer: A

• Question 32:

  In a template, which two objects can be configured? (Choose two.)

  A. SD-WAN path quality profile

  B. Monitor profile

  C. IPsec tunnel

  D. Application group

  Correct Answer: BC

  https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-web-interface-help/network/network-network-profiles/network-network-profiles-monitor.html

• Question 33:

  Phase two of a VPN will not establish a connection. The peer is using a policy-based VPN configuration. What part of the configuration should the engineer verify'?

  A. PAN-OS versions

  B. Proxy-IDs

  C. IKE Crypto Profile

  D. Security policy

  Correct Answer: B

  Proxy-ID is a parameter that identifies the traffic that needs to be encrypted and tunneled in an IPSec VPN. Proxy-ID consists of the local and remote IP addresses, protocols, and ports. Proxy-ID is used when the peer is using a policy-based

  VPN configuration, which allows specifying the Proxy-ID settings manually. If the Proxy-ID settings do not match on both peers, the phase two of the VPN will not establish a connection. Therefore, the correct answer is B.

  The other options are not parts of the configuration that the engineer should verify for phase two of a VPN:

  1.

  PAN-OS versions: This option is not relevant for phase two of a VPN. PAN-OS versions are the software versions that run on Palo Alto Networks firewalls. They do not affect the VPN connection establishment, as long as they support the same VPN features and protocols

  2.

  IKE Crypto Profile: This option is not relevant for phase two of a VPN. IKE Crypto Profile is a parameter that defines the encryption and authentication algorithms for IKE negotiation. IKE negotiation is part of phase one of the VPN, not phase two

  3.

  Security policy: This option is not relevant for phase two of a VPN. Security policy is a rule that allows or denies traffic based on various criteria, such as source, destination, application, user, and service. Security policy does not affect the VPN connection establishment, but only the traffic that passes through the VPN tunnel.

  References:

  1: https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/vpn/site-to-site-vpn/set-up-a-site-to-site-vpn-between-two-firewalls/policy-based-vpn

  2: https://docs.paloaltonetworks.com/pan-os.html

  3: https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/vpn/site-to-site-vpn-concepts/internet-key-exchange-ike-for-vpn/methods-of-securing-ipsec-vpn-tunnels-ike-phase-2

  4: https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/policy/security-policy.html

• Question 34:

  An engineer troubleshooting a VPN issue needs to manually initiate a VPN tunnel from the CLI. Which CLI command can the engineer use?

  A. test vpn flow

  B. test vpn Ike--sa

  C. test vpn tunnel

  D. test vpn gateway

  Correct Answer: B

  https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClVGCA0

• Question 35:

  Where can a service route be configured for a specific destination IP?

  A. Use Network > Virtual Routers, select the Virtual Router > Static Routes > IPv4

  B. Use Device > Setup > Services > Services

  C. Use Device > Setup > Services > Service Route Configuration > Customize > Destination

  D. Use Device > Setup > Services > Service Route Configuration > Customize > IPv4

  Correct Answer: C

  https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClGJCA0

• Question 36:

  An engineer is configuring a template in Panorama which will contain settings that need to be applied to all firewalls in production. Which three parts of a template an engineer can configure? (Choose three.)

  A. NTP Server Address

  B. Antivirus Profile

  C. Authentication Profile

  D. Service Route Configuration

  E. Dynamic Address Groups

  Correct Answer: ACD

  NTP Server Address D. Service Route Configuration Short of Correct Answer Only: These parts of a template can be configured on Panorama. An antivirus profile and an authentication profile are not parts of a template, but parts

  of a device group.

  References:

  https://docs.paloaltonetworks.com/panorama/10-1/panorama-admin/manage-firewalls/manage-templates-and-template-stacks/templates-and-template-stacks-overview https://docs.paloaltonetworks.com/panorama/10-1/panorama-admin/

  manage-firewalls/manage-device-groups/device-group-overview

• Question 37:

  An auditor is evaluating the configuration of Panorama and notices a discrep-ancy between the Panorama template and the local firewall configuration. When overriding the firewall configuration pushed from Panorama, what should you consider?

  A. The modification will not be visible in Panorama.

  B. The firewall template will show that it is out of sync within Panorama.

  C. Panorama will update the template with the overridden value.

  D. Only Panorama can revert the override.

  Correct Answer: A

  When overriding the firewall configuration pushed from Panorama, the modification will not be visible in Panorama. The firewall will show an override icon next to the modified setting and will display a warning message that the local

  configuration differs from Panorama. The override icon will also appear on Panorama next to the firewall name in the Device Groups and Templates tabs. The other options are not correct. The firewall template will not show that it is out of

  sync within Panorama, because the template itself is not modified. Panorama will not update the template with the overridden value, because the template is read-only on the firewall. The override can be reverted either from Panorama or from

  the firewall.

  References:

  https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/firewall-administration/manage-configuration/override-a-template-setting https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/firewall-administration/manage-configuration/

  revert-an-overridden-template-setting

• Question 38:

  Which three items must be configured to implement application override? (Choose three )

  A. Custom app

  B. Security policy rule

  C. Application override policy rule

  D. Decryption policy rule

  E. Application filter

  Correct Answer: ABC

  According to the Palo Alto Networks documentation1, application override is where the firewall is configured to override the normal application identification (App-ID) of specific traffic passing through the firewall. To implement application override, the following items must be configured: Custom app: This is a user-defined application that is used to identify the traffic that needs to be overridden. It is recommended to create a custom app for the application override policy, rather than using a predefined app that may have different default ports and threat inspection capabilities2. Security policy rule: This is a rule that allows the traffic that matches the custom app through the firewall. The security policy rule must use the custom app as the application filter and specify the source and destination zones, addresses, and users as needed2. Application override policy rule: This is a rule that defines the criteria for overriding the App-ID of the traffic. The application override policy rule must use the custom app as the application filter and specify the source and destination zones, addresses, ports, and protocols as needed2. The other options are not required or relevant for implementing application override: Decryption policy rule: This is a rule that defines the criteria for decrypting encrypted traffic. It is not related to application override, although decryption may be needed to identify some applications that use encryption. Application filter: This is an object that groups applications based on various criteria, such as category, subcategory, technology, or risk. It is not an item that must be configured for application override, although it can be used as a reference in security policy rules or custom apps. References: https://live.paloaltonetworks.com/t5/blogs/tips-amp-tricks-how-to-create-an-application-override/ba-p/451872 https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClVLCA0 https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/decryption/decryption-concepts/how-decryption-works https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/app-id/manage-custom-or-unknown-applications/create-an-application-filter

• Question 39:

  An administrator connects four new remote offices to the corporate data center. The administrator decides to use the Large Scale VPN (LSVPN) feature on the Palo Alto Networks next-generation firewall. What should the administrator configure in order to connect the sites?

  A. Generic Routing Encapsulation (GRE) Tunnels

  B. GlobalProtect Satellite

  C. SD-WAN

  D. IKE Gateways

  Correct Answer: B

• Question 40:

  A customer wants to set up a site-to-site VPN using tunnel interfaces. What format is the correct naming convention for tunnel interfaces?

  A. tun.1025

  B. tunnel.50

  C. vpn.1024

  D. gre1/2

  Correct Answer: B