Palo Alto Networks PCNSE Online Practice Questions and Exam Preparation

Palo Alto Networks PCNSE Online Questions & Answers

• Question 431:

  An administrator would like to determine which action the firewall will take for a specific CVE.

  Given the screenshot below, where should the administrator navigate to view this information?

  

  A. The profile rule action
  B. CVE column
  C. Exceptions tab
  D. The profile rule threat name
  C. Exceptions tab

  ---

  Explanation

  The Exceptions settings allows you to change the response to a specific signature. For example, you can block all packets that match a signature, except for the selected one, which generates an alert. The Exception tab supports filtering

  functions.

  If you not believed, then login the firewall go to Vulnerability > Exceptions and select "Show all signatures". From there you will see all threat information including specific actions.

  https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Cm4yCAC

• Question 432:

  What are three types of Decryption Policy rules? (Choose three.)

  A. SSL Inbound Inspection
  B. SSH Proxy
  C. SSL Forward Proxy
  D. Decryption Broker
  E. Decryption Mirror
  A. SSL Inbound Inspection
  B. SSH Proxy
  C. SSL Forward Proxy

  ---

  Explanation

  https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-admin/decryption/define-traffic-to-decrypt/create-a-decryption-policy-rule

• Question 433:

  Given the screenshot, how did the firewall handle the traffic?

  

  A. Traffic was allowed by policy but denied by profile as encrypted.
  B. Traffic was allowed by policy but denied by profile as a threat.
  C. Traffic was allowed by profile but denied by policy as a threat.
  D. Traffic was allowed by policy but denied by profile as a nonstandard port.
  B. Traffic was allowed by policy but denied by profile as a threat.

  ---

  Explanation

  The screenshot shows the threat log which records the traffic that matches a threat signature or is blocked by a security profile. The log entry indicates that the traffic was allowed by the security policy rule "Allow-All" but was denied by the vulnerability protection profile "strict" as a threat. The threat name is "Microsoft Windows SMBv1 Multiple Vulnerabilities (MS17-010: EternalBlue)" and the action is "reset-both" which means that the firewall reset both the client and server connections.

  References: : https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/monitoring/use-syslog-for-monitoring/syslog-field-descriptions/threat-log-fields

• Question 434:

  An administrator wants to configure the Palo Alto Networks Windows User-ID agent to map IP addresses to usernames. The company uses four Microsoft Active Directory servers and two Microsoft Exchange servers, which can provide logs for login events.

  All six servers have IP addresses assigned from the following subnet: 192.168 28.32/27. The Microsoft Active Directory servers reside in 192.168.28.32/28. and the Microsoft Exchange servers resideL in 192.168.28 48/28

  What information does the administrator need to provide in the User Identification > Discovery section?

  A. The IP-address and corresponding server type (Microsoft Active Directory or Microsoft Exchange) for each of the six servers
  B. Network 192 168.28.32/28 with server type Microsoft Active Directory and network 192.168.28.48/28 with server type Microsoft Exchange
  C. Network 192 168 28.32/27 with server type Microsoft
  D. One IP address of a Microsoft Active Directory server and "Auto Discover" enabled to automatically obtain all five of the other servers
  A. The IP-address and corresponding server type (Microsoft Active Directory or Microsoft Exchange) for each of the six servers

  ---

  Explanation

  The administrator needs to provide the IP address and corresponding server type (Microsoft Active Directory or Microsoft Exchange) for each of the six servers in the User Identification > Discovery section. The administrator should enter the network address of 192.168.28.32/28 and select "Microsoft Active Directory" as the server type for the four Active Directory servers and enter the network address of 192.168.28.48/28 and select "Microsoft Exchange" as the server type for the two Exchange servers. This will allow the User-ID agent to discover and map the IP address of each server to the corresponding username.

• Question 435:

  A root cause analysis investigation into a recent security incident reveals that several decryption rules have been disabled. The security team wants to generate email alerts when decryption rules are changed. How should email log forwarding be configured to achieve this goal?

  A. With the relevant system log filter inside Device > Log Settings
  B. With the relevant configuration log filter inside Device > Log Settings
  C. With the relevant configuration log filter inside Objects > Log Forwarding
  D. With the relevant system log filter inside Objects > Log Forwarding
  B. With the relevant configuration log filter inside Device > Log Settings

  ---

  Explanation

  Config related logs are generated by the management plane, hence in the device section

• Question 436:

  A network security administrator wants to inspect HTTPS traffic from users as it egresses through a firewall to the Internet/Untrust zone from trusted network zones.

  The security admin wishes to ensure that if users are presented with invalid or untrusted security certificates, the user will see an untrusted certificate warning.

  What is the best choice for an SSL Forward Untrust certificate?

  A. A web server certificate signed by the organization's PKI
  B. A self-signed certificate generated on the firewall
  C. A subordinate Certificate Authority certificate signed by the organization's PKI
  D. A web server certificate signed by an external Certificate Authority
  B. A self-signed certificate generated on the firewall

  ---

  Explanation

  B is the best choice for an SSL Forward Untrust certificate because a self-signed certificate generated on the firewall is not trusted by any client browsers by default1. This means that if the firewall observes an invalid or untrusted security certificate from the server, it will present the self-signed certificate to the client, which will trigger an untrusted certificate warning2. This way, the security admin can ensure that users are aware of any potential risks when accessing HTTPS sites with untrusted certificates.

  A web server certificate signed by the organization's PKI (A) or a subordinate Certificate Authority certificate signed by the organization's PKI ?are not good choices for an SSL Forward Untrust certificate because they are trusted by the client browsers that have the organization's root CA installed1. This means that if the firewall observes an invalid or untrusted security certificate from the server, it will present the web server or subordinate CA certificate to the client, which will not trigger an untrusted certificate warning2. This way, the security admin cannot ensure that users are aware of any potential risks when accessing HTTPS sites with untrusted certificates.

  A web server certificate signed by an external Certificate Authority (D) is not a good choice for an SSL Forward Untrust certificate because it is trusted by most client browsers that have the external CA in their trust store1. This means that if the firewall observes an invalid or untrusted security certificate from the server, it will present the web server certificate to the client, which will not trigger an untrusted certificate warning2. This way, the security admin cannot ensure that users are aware of any potential risks when accessing HTTPS sites with untrusted certificates.

  Verified

  References:

  1: How to Configure SSL Decryption -Palo Alto Networks Knowledge Base

  2: How to Implement and Test SSL Decryption -Palo Alto Networks Knowledge Base

• Question 437:

  Refer to the exhibit.

  

  Which will be the egress interface if the traffic's ingress interface is ethernet 1/7 sourcing from 192.168.111.3 and to the destination 10.46.41.113?

  A. ethernet1/6
  B. ethernet1/3
  C. ethernet1/7
  D. ethernet1/5
  D. ethernet1/5

  ---

  Explanation

  PBF is to e1/5, but the current time is not in time schedule. the normal routing will go to e1/3

• Question 438:

  A organizations administrator has the funds available to purchase more firewalls to increase the organization's security posture.

  The partner SE recommends placing the firewalls as close as possible to the resources that they protect.

  Is the SE's advice correct and why or why not?

  A. Yes Firewalls are session based so they do not scale to millions of CPS
  B. No Placing firewalls m front of perimeter DDoS devices provides greater protection tor sensitive devices inside the network
  C. Yes Zone Protection profiles can be tailored to the resources that they protect via the configuration of specific device types and operating systems
  D. No Firewalls provide new defense and resilience to prevent attackers at every stage of the cyberattack lifecycle independent of placement
  A. Yes Firewalls are session based so they do not scale to millions of CPS

  ---

  Explanation

  https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/zone-protection-and-dos-protection/zone-defense/firewall-placement-for-dos-protection

• Question 439:

  What happens, by default, when the GlobalProtect app fails to establish an IPSec tunnel to the GlobalProtect gateway?

  A. It keeps trying to establish an IPSec tunnel to the GlobalProtect gateway
  B. It stops the tunnel-establishment processing to the GlobalProtect gateway immediately
  C. It tries to establish a tunnel to the GlobalProtect gateway using SSL/TLS
  D. It tries to establish a tunnel to the GlobalProtect portal using SSL/TLS
  C. It tries to establish a tunnel to the GlobalProtect gateway using SSL/TLS

  ---

  Explanation

  The GlobalProtect VPN solution by Palo Alto Networks is designed to provide secure remote access to users. It primarily attempts to establish a VPN tunnel using the IPSec protocol for optimal security and performance. However, in cases where IPSec cannot be used due to network restrictions or other issues, GlobalProtect has a fallback mechanism.

  If the GlobalProtect app fails to establish an IPSec tunnel with the GlobalProtect gateway, the default behavior is to fallback to SSL/TLS for tunnel establishment. This ensures that the VPN connection can still be established, maintaining secure remote access for the user even in environments where IPSec is not feasible. SSL/TLS provides a secure tunnel, albeit generally with slightly less efficiency than IPSec.

  This fallback mechanism is part of the GlobalProtect app's design to ensure reliability and continuous secure access for remote users under various network conditions.

• Question 440:

  A user at an external system with the IP address 65.124 57 5 quenes the DNS server at 4 2 2 2 for the IP address of the web server www xyz com The DNS server returns an address of 172 16 151 In order to reach the web server, which Security rule and NAT rule must be configured on the firewall?

  

  A. Option A
  B. Option B
  C. Option C
  D. Option D
  D. Option D

  ---

  Explanation