Palo Alto Networks PCNSE Online Practice Questions and Exam Preparation

Palo Alto Networks PCNSE Online Questions & Answers

• Question 411:

  Phase two of a VPN will not establish a connection. The peer is using a policy-based VPN configuration. What part of the configuration should the engineer verify'?

  A. PAN-OS versions
  B. Proxy-IDs
  C. IKE Crypto Profile
  D. Security policy
  B. Proxy-IDs

  ---

  Explanation

  Proxy-ID is a parameter that identifies the traffic that needs to be encrypted and tunneled in an IPSec VPN. Proxy-ID consists of the local and remote IP addresses, protocols, and ports. Proxy-ID is used when the peer is using a policy-based

  VPN configuration, which allows specifying the Proxy-ID settings manually. If the Proxy-ID settings do not match on both peers, the phase two of the VPN will not establish a connection. Therefore, the correct answer is

  B.

  The other options are not parts of the configuration that the engineer should verify for phase two of a VPN:

  1.PAN-OS versions: This option is not relevant for phase two of a VPN. PAN-OS versions are the software versions that run on Palo Alto Networks firewalls. They do not affect the VPN connection establishment, as long as they support the same VPN features and protocols

  2.IKE Crypto Profile: This option is not relevant for phase two of a VPN. IKE Crypto Profile is a parameter that defines the encryption and authentication algorithms for IKE negotiation. IKE negotiation is part of phase one of the VPN, not phase two

  3.Security policy: This option is not relevant for phase two of a VPN. Security policy is a rule that allows or denies traffic based on various criteria, such as source, destination, application, user, and service. Security policy does not affect the VPN connection establishment, but only the traffic that passes through the VPN tunnel.

  References:

  1: https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/vpn/site-to-site-vpn/set-up-a-site-to-site-vpn-between-two-firewalls/policy-based-vpn

  2: https://docs.paloaltonetworks.com/pan-os.html

  3: https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/vpn/site-to-site-vpn-concepts/internet-key-exchange-ike-for-vpn/methods-of-securing-ipsec-vpn-tunnels-ike-phase-2

  4: https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/policy/security-policy.html

• Question 412:

  A company requires that a specific set of ciphers be used when remotely managing their Palo Alto Networks appliances. Which profile should be configured in order to achieve this?

  A. SSH Service profile
  B. SSL/TLS Service profile
  C. Decryption profile
  D. Certificate profile
  A. SSH Service profile

  ---

  Explanation

  SSL/TLS profile is only the TLS versions, not ciphers. Decryption Profile is for SSL Inbound and Forward Proxy applications, not mgmt of the PANW Firewall. There's also KB articles to strengthen SSH, but I couldn't find any for HTTPS, on the mgmt interface

• Question 413:

  An Administrator is configuring Authentication Enforcement and they would like to create an exemption rule to exempt a specific group from authentication. Which authentication enforcement object should they select?

  A. default-browser-challenge
  B. default-authentication-bypass
  C. default-web-format
  D. default-no-captive-portal
  D. default-no-captive-portal

  ---

  Explanation

  https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-web-interface-help/objects/objects-authentication.html

• Question 414:

  Which statement is true regarding a heatmap in a BPA report?

  A. When guided by authorized sales engineer, it helps determine the areas of the greatest security risk.
  B. It runs only on firewalls.
  C. It provides a percentage of adoption for each assessment area.
  D. It provides a set of questionnaires that help uncover security risk prevention gaps across all areas of network and security architecture.
  C. It provides a percentage of adoption for each assessment area.

  ---

  Explanation

  https://docs.paloaltonetworks.com/best-practices/10-2/data-center-best-practices/data-center-best-practice-security-policy/use-palo-alto-networks-assessment-and-review-tools

• Question 415:

  An administrator has been asked to configure a Palo Alto Networks NGFW to provide protection against external hosts attempting to exploit a flaw in an operating system on an internal system. Which Security Profile type will prevent this attack?

  A. Vulnerability Protection
  B. Anti-Spyware
  C. URL Filtering
  D. Antivirus
  A. Vulnerability Protection

  ---

  Explanation

  https://www.paloaltonetworks.com/documentation/71/pan-os/web-interface-help/objects/objects-security-profiles-vulnerability-protection

• Question 416:

  An administrator connects four new remote offices to the corporate data center. The administrator decides to use the Large Scale VPN (LSVPN) feature on the Palo Alto Networks next-generation firewall. What should the administrator configure in order to connect the sites?

  A. Generic Routing Encapsulation (GRE) Tunnels
  B. GlobalProtect Satellite
  C. SD-WAN
  D. IKE Gateways
  B. GlobalProtect Satellite

  ---

  Explanation

• Question 417:

  Refer to the diagram. Users at an internal system want to ssh to the SSH server The server is configured to respond only to the ssh requests coming from IP 172.16.16.1. In order to reach the SSH server only from the Trust zone, which Security rule and NAT rule must be configured on the firewall?

  

  A. NAT Rule: Source Zone: Trust Source IP: Any Destination Zone: Server Destination IP: 172.16.15.10 Source Translation: Static IP / 172.16.15.1 Security Rule: Source Zone: Trust Source IP: Any Destination Zone: Trust Destination IP: 172.16.15.10 Application: ssh
  B. NAT Rule: Source Zone: Trust Source IP: 192.168.15.0/24 Destination Zone: Trust Destination IP: 192.168.15.1 Destination Translation: Static IP / 172.16.15.10 Security Rule: Source Zone: Trust Source IP: 192.168.15.0/24 Destination Zone: Server Destination IP: 172.16.15.10 Application: ssh
  C. NAT Rule: Source Zone: Trust Source IP: Any Destination Zone: Trust Destination IP: 192.168.15.1 Destination Translation: Static IP /172.16.15.10 Security Rule: Source Zone: Trust Source IP: Any Destination Zone: Server Destination IP: 172.16.15.10 Application: ssh
  D. NAT Rule: Source Zone: Trust Source IP: Any Destination Zone: Server Destination IP: 172.16.15.10 Source Translation: dynamic-ip-and-port / ethernet1/4 Security Rule: Source Zone: Trust Source IP: Any Destination Zone: Server Destination IP: 172.16.15.10 Application: ssh
  D. NAT Rule: Source Zone: Trust Source IP: Any Destination Zone: Server Destination IP: 172.16.15.10 Source Translation: dynamic-ip-and-port / ethernet1/4 Security Rule: Source Zone: Trust Source IP: Any Destination Zone: Server Destination IP: 172.16.15.10 Application: ssh

  ---

  Explanation

• Question 418:

  Which three authentication services can administrator use to authenticate admins into the Palo Alto Networks NGFW without defining a corresponding admin account on the local firewall? (Choose three.)

  A. Kerberos
  B. PAP
  C. SAML
  D. TACACS+
  E. RADIUS
  F. LDAP
  C. SAML
  D. TACACS+
  E. RADIUS

  ---

  Explanation

  https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-admin/firewall-administration/manage-firewall-administrators/administrative-authentication

• Question 419:

  A firewall engineer is tasked with defining signatures for a custom application.

  Which two sources can the engineer use to gather information about the application patterns'? (Choose two.)

  A. Traffic logs
  B. Data filtering logs
  C. Policy Optimizer
  D. Wireshark
  D. Wireshark

  ---

  Explanation

• Question 420:

  The GlobalProtect Portal interface and IP address have been configured. Which other value needs to be defined to complete the network settings configuration of GlobalPortect Portal?

  A. Server Certificate
  B. Client Certificate
  C. Authentication Profile
  D. Certificate Profile
  A. Server Certificate

  ---

  Explanation

  (https://live.paloaltonetworks.com/t5/Configuration-Articles/How-to-Configure-GlobalProtect/ta-p/58351)