Palo Alto Networks PCNSE Online Practice Questions and Exam Preparation

Palo Alto Networks PCNSE Online Questions & Answers

• Question 421:

  An administrator has been asked to configure active/passive HA for a pair of Palo Alto Networks NGFWs. The administrator assigns priority 100 to the active firewall. Which priority is correct for the passive firewall?

  B. 99
  C. 1
  D. 255
  D. 255

  ---

  Explanation

  https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/framemaker/71/pan-os/pan-os/section_5.pdf (page 9)

  https://docs.paloaltonetworks.com/content/dam/techdocs/en_US/pdf/pan-os/10-0/pan-os-admin/pan-os-admin.pdf page 315

• Question 422:

  If an administrator does not possess a website's certificate, which SSL decryption mode will allow the Palo Alto networks NGFW to inspect when users browse to HTTP(S) websites?

  A. SSL Forward Proxy
  B. SSL Inbound Inspection
  C. TLS Bidirectional proxy
  D. SSL Outbound Inspection
  A. SSL Forward Proxy

  ---

  Explanation

  https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClV8CAK https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/decryption/configure-ssl-inbound-inspection.html

• Question 423:

  What is considered the best practice with regards to zone protection?

  A. Review DoS threat activity (ACC > Block Activity) and look for patterns of abuse
  B. Use separate log-forwarding profiles to forward DoS and zone threshold event logs separately from other threat logs
  C. If the levels of zone and DoS protection consume too many firewall resources, disable zone protection
  D. Set the Alarm Rate threshold for event-log messages to high severity or critical severity
  B. Use separate log-forwarding profiles to forward DoS and zone threshold event logs separately from other threat logs

  ---

  Explanation

  https://docs.paloaltonetworks.com/best-practices/dos-and-zone-protection-best-practices/dos-and-zone-protection-best-practices/follow-post-deployment-dos-and-zone-protection-best-practices

• Question 424:

  An administrator wants to use LDAP, TACACS+, and Kerberos as external authentication services for authenticating users.

  What should the administrator be aware of regarding the authentication sequence, based on the Authentication profiles in the order Kerberos, LDAP, and TACACS+?

  A. The priority assigned to the Authentication profile defines the order of the sequence.
  B. The firewall evaluates the profiles in the alphabetical order the Authentication profiles have been named until one profile successfully authenticates the user.
  C. If the authentication times out for the first Authentication profile in the authentication sequence, no further authentication attempts will be made.
  D. The firewall evaluates the profiles in top-to-bottom order until one Authentication profile successfully authenticates the user.
  D. The firewall evaluates the profiles in top-to-bottom order until one Authentication profile successfully authenticates the user.

  ---

  Explanation

  When user or administrative access is configured, one or more authentication methods must be specified. A user or administrator definition typically requires an Authentication Profile that specifies the desired authentication method. When more than one method is desired, you can instead use an Authentication Sequence, which is a list of Authentication Profiles. The first profile will be accessed. If it is not available, the next option will be tried. An Authentication Profile specifies a single Server Profile. A Server Profile contains specific configuration and access information that is necessary to reach the external authentication service.

• Question 425:

  Which steps should an engineer take to forward system logs to email?

  A. Create a new email profile under Device > server profiles; then navigate to Objects > Log Forwarding profile > set log type to system and the add email profile.
  B. Enable log forwarding under the email profile in the Objects tab.
  C. Create a new email profile under Device > server profiles: then navigate to Device > Log Settings > System and add the email profile under email.
  D. Enable log forwarding under the email profile in the Device tab.
  A. Create a new email profile under Device > server profiles; then navigate to Objects > Log Forwarding profile > set log type to system and the add email profile.

  ---

  Explanation

• Question 426:

  An engineer is tasked with configuring SSL forward proxy for traffic going to external sites. Which of the following statements is consistent with SSL decryption best practices?

  A. The forward trust certificate should not be stored on an HSM.
  B. The forward untrust certificate should be signed by a certificate authority that is trusted by the clients.
  C. Check both the Forward Trust and Forward Untrust boxes when adding a certificate for use with SSL decryption
  D. The forward untrust certificate should not be signed by a Trusted Root CA
  B. The forward untrust certificate should be signed by a certificate authority that is trusted by the clients.

  ---

  Explanation

  According to the PCNSE Study Guide1, SSL forward proxy is a feature that allows the firewall to decrypt and inspect SSL traffic going to external sites. The firewall acts as a proxy between the client and the server, generating a certificate on

  the fly for each site.

  The best practices for configuring SSL forward proxy are23:

  Use a forward trust certificate that is signed by a certificate authority (CA) that is trusted by the clients. This certificate is used to sign certificates for sites that have valid certificates from trusted CAs. The clients will not see any certificate errors

  if they trust the forward trust certificate.

  Use a forward untrust certificate that is not signed by a trusted CA. This certificate is used to sign certificates for sites that have invalid or untrusted certificates. The clients will see certificate errors if they do not trust the forward untrust

  certificate. This helps alert users of potential risks and prevent man-in-the-middle attacks. Do not store the forward trust or untrust certificates on an HSM (hardware security module). The HSM does not support on-the-fly signing of certificates,

  which is required for SSL forward proxy.

• Question 427:

  What steps should a user take to increase the NAT oversubscription rate from the default platform setting?

  A. Navigate to Device > Setup > TCP Settings > NAT Oversubscription Rate
  B. Navigate to Policies > NAT > Destination Address Translation > Dynamic IP (with session distribution)
  C. Navigate to Policies > NAT > Source Address Translation > Dynamic IP (with session distribution)
  D. Navigate to Device > Setup > Session Settings > NAT Oversubscription Rate
  D. Navigate to Device > Setup > Session Settings > NAT Oversubscription Rate

  ---

  Explanation

  NAT oversubscription is a feature that allows you to reuse a translated IP address and port for multiple source devices. This can help you conserve public IP addresses and increase the number of sessions that can be translated by a NAT rule.

• Question 428:

  An engineer must configure a new SSL decryption deployment

  Which profile or certificate is required before any traffic that matches an SSL decryption rule is decrypted?

  A. There must be a certificate with both the Forward Trust option and Forward Untrust option selected
  B. A Decryption profile must be attached to the Decryption policy that the traffic matches
  C. A Decryption profile must be attached to the Security policy that the traffic matches
  D. There must be a certificate with only the Forward Trust option selected
  D. There must be a certificate with only the Forward Trust option selected

  ---

  Explanation

  A certificate with only the Forward Trust option selected is required for SSL Forward Proxy decryption, which is the most common type of SSL decryption deployment. A certificate with both the Forward Trust and Forward Untrust options

  selected is required for SSL Inbound Inspection decryption, which is less common. A Decryption profile is not required before any traffic that matches an SSL decryption rule is decrypted, but it is recommended to apply one to control how the

  firewall handles traffic that cannot be decrypted.

  References:

  https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/threat-prevention/decryption/decryption-concepts/ssl-forward-proxy

  https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/threat-prevention/decryption/decryption-concepts/ssl-inbound-inspection

  https://docs.paloaltonetworks.com/best-practices/10-1/decryption-best-practices/decryption-best-practices/deploy-ssl-decryption-using-best-practices

• Question 429:

  Which CLI command can be used to export the tcpdump capture?

  A. scp export tcpdump from mgmt.pcap to
  B. scp extract mgmt-pcap from mgmt.pcap to
  C. scp export mgmt-pcap from mgmt.pcap to
  D. download mgmt.-pcap
  C. scp export mgmt-pcap from mgmt.pcap to

  ---

  Explanation

  https://live.paloaltonetworks.com/t5/Management-Articles/How-To-Packet-Capture-tcpdump-On-Management-Interface/ta-p/55415

• Question 430:

  An auditor is evaluating the configuration of Panorama and notices a discrep-ancy between the Panorama template and the local firewall configuration. When overriding the firewall configuration pushed from Panorama, what should you consider?

  A. The modification will not be visible in Panorama.
  B. The firewall template will show that it is out of sync within Panorama.
  C. Panorama will update the template with the overridden value.
  D. Only Panorama can revert the override.
  A. The modification will not be visible in Panorama.

  ---

  Explanation

  When overriding the firewall configuration pushed from Panorama, the modification will not be visible in Panorama. The firewall will show an override icon next to the modified setting and will display a warning message that the local

  configuration differs from Panorama. The override icon will also appear on Panorama next to the firewall name in the Device Groups and Templates tabs. The other options are not correct. The firewall template will not show that it is out of

  sync within Panorama, because the template itself is not modified. Panorama will not update the template with the overridden value, because the template is read-only on the firewall. The override can be reverted either from Panorama or from

  the firewall.

  References:

  https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/firewall-administration/manage-configuration/override-a-template-setting https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/firewall-administration/manage-configuration/

  revert-an-overridden-template-setting