Palo Alto Networks PCNSE Online Practice Questions and Exam Preparation

Palo Alto Networks PCNSE Online Questions & Answers

• Question 461:

  Which two features can be used to tag a username so that it is included in a dynamic user group? (Choose two)

  A. log forwarding auto-tagging
  B. GlobafProtect agent
  C. User-ID Windows-based agent
  D. XML API
  A. log forwarding auto-tagging
  C. User-ID Windows-based agent

  ---

  Explanation

  https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/policy/register-ip-addresses-and-tags-dynamically.html

  You can enable the dynamic registration process using any of the following options:

  User-ID agent for Windows*

  VM Information Sources

  Panorama Plugin

  VMware Service Manager

  XML API*

  Auto-Tag*

  https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/datasheets/education/pcnse-study-guide.pdf

  Usernames can also be tagged and untagged using the auto-tagging feature in a Log Forwarding Profile. You also can program another utility to invoke PAN-OS XML API commands to tag or untag usernames.

• Question 462:

  Which operation will impact performance of the management plane?

  A. DoS protection
  B. WildFire submissions
  C. generating a SaaS Application report
  D. decrypting SSL sessions
  C. generating a SaaS Application report

  ---

  Explanation

• Question 463:

  If the firewall has the link monitoring configuration, what will cause a failover?

  

  A. ethernet1/3 and ethernet1/6 going down
  B. ethernet1/3 going down
  C. ethernet1/3 or Ethernet1/6 going down
  D. ethernet1/6 going down
  A. ethernet1/3 and ethernet1/6 going down

  ---

  Explanation

• Question 464:

  A firewall engineer is configuring quality of service (QoS) policy for the IP address of a specific server in an effort to limit the bandwidth consumed by frequent downloads of large files from the internet.

  Which combination of pre-NAT and/or post-NAT information should be used in the QoS rule?

  A. Pre-NAT source IP address Pre-NAT source zone
  B. Post-NAT source IP address Pre-NAT source zone
  C. Pre-NAT source IP address Post-NAT source zone
  D. Post-NAT source IP address Post-NAT source zone
  B. Post-NAT source IP address Pre-NAT source zone

  ---

  Explanation

  When configuring Quality of Service (QoS) policies, particularly for traffic going to or from specific IP addresses and involving NAT, it's important to base the rule on how the firewall processes the traffic. For QoS, the firewall evaluates traffic using pre-NAT IP addresses and zones because QoS policies typically need to be applied before the NAT action occurs. This is especially true for inbound traffic, where the goal is to limit bandwidth before the destination IP is translated.

  The correct combination for a QoS rule in this scenario, where the aim is to limit bandwidth for downloads from a specific server (implying inbound traffic to the server), would be:

  Pre-NAT source IP address

  Pre-NAT source zone:

  Pre-NAT source IP address: This refers to the original IP address of the client or source device before any NAT rules are applied. Since QoS policies are evaluated before NAT, using the pre-NAT IP address ensures that the policy applies to

  the correct traffic.

  Pre-NAT source zone: This is the zone associated with the source interface before NAT takes place. Using the pre-NAT zone ensures that the QoS policy is applied to traffic as it enters the firewall, before any translations or routing decisions are made.

  By configuring the QoS rule with pre-NAT information, the firewall can accurately apply bandwidth limitations to the intended traffic, ensuring efficient use of network resources and mitigating the impact of large file downloads from the specified server.

  For detailed guidelines on configuring QoS policies, refer to the Palo Alto Networks documentation, which provides comprehensive instructions and best practices for managing bandwidth and traffic priorities on the network.

• Question 465:

  When an engineer configures an active/active high availability pair, which two links can they use? (Choose two)

  A. HSCI-C
  B. Console Backup
  C. HA3
  D. HA2 backup
  C. HA3
  D. HA2 backup

  ---

  Explanation

  These are the two links that can be used to configure an active/active high availability pair. An active/active high availability pair consists of two firewalls that are both active and share the traffic load between them1. To configure an active/

  active high availability pair, the following links are required2:

  HA1: This is the control link that is used for exchanging heartbeat messages and configuration synchronization between the firewalls. It can be a dedicated interface or a subinterface. It can also have a backup link for redundancy. HA2: This is

  the data link that is used for forwarding sessions from one firewall to another in case of failover or load balancing. It can be a dedicated interface or a subinterface. It can also have a backup link for redundancy. HA3: This is the session owner

  synchronization link that is used for synchronizing session information between the firewalls in different virtual systems. It can be a dedicated interface or a subinterface. It is only required for active/active high availability pairs, not for active/

  passive pairs.

  https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/high-availability/set-up-activeactive-ha/prerequisites-for-activeactive-ha

• Question 466:

  Panorama provides which two SD-WAN functions? (Choose two.)

  A. data plane
  B. physical network links
  C. network monitoring
  D. control plane
  C. network monitoring
  D. control plane

  ---

  Explanation

  https://www.paloaltonetworks.com/resources/guides/sd-wan-architecture-guide https://docs.paloaltonetworks.com/sd-wan/1-0/sd-wan-admin/sd-wan-overview/about-sd-wan.html

  (Network Monitoring and Control Plane). Data plane and Physical Interfaces are directly taken care through Firewalls where SD WAN is enabled.

• Question 467:

  A company has configured GlobalProtect to allow their users to work from home. A decrease in performance for remote workers has been reported during peak-use hours. Which two steps are likely to mitigate the issue? (Choose TWO)

  A. Exclude video traffic
  B. Enable decryption
  C. Block traffic that is not work-related
  D. Create a Tunnel Inspection policy
  A. Exclude video traffic
  C. Block traffic that is not work-related

  ---

  Explanation

  This is because excluding video traffic from being sent over the VPN will reduce the amount of bandwidth being used during peak hours, allowing more bandwidth to be available for other types of traffic. Blocking non-work related traffic will also reduce the amount of bandwidth being used, further freeing up bandwidth for work-related traffic. Enabling decryption and creating a Tunnel Inspection policy are not likely to mitigate the issue of decreased performance during peak-use hours, as they do not directly address the issue of limited bandwidth availability during these times.

  https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PP3ICAW

• Question 468:

  A firewall architect is attempting to install a new Palo Alto Networks NGFW. The company has previously had issues moving all administrative functions onto a data plane interface to meet the design limitations of the environment. The architect is able to access the device for HTTPS and SSH; however, the NGFW can neither validate licensing nor get updates. Which action taken by the architect will resolve this issue?

  A. Create a service route that sets the source interface to the data plane interface in question
  B. Validate that all upstream devices will allow and properly route the outbound traffic to the external destinations needed
  C. Create a loopback from the management interface to the data plane interface, then make a service route from the management interface to the data plane interface
  D. Enable OCSP for the data plane interface so the firewall will create a certificate with the data plane interface's IP
  B. Validate that all upstream devices will allow and properly route the outbound traffic to the external destinations needed

  ---

  Explanation

  When administrative functions (licensing, updates) use a data plane interface, the firewall requires outbound connectivity to Palo Alto Networks servers (e.g., updates.paloaltonetworks.com) via that interface. If HTTPS/SSH work but licensing/

  updates fail, the issue is likely upstream blocking or misrouting. Validating upstream devices (Option B) ensures ports (e.g., 443) and destinations are accessible, resolving the issue.

  PAN-OS 11.2 Administrator's Guide, "Device Management" section -Service Routes and Connectivity Troubleshooting.

• Question 469:

  Which DoS Protection Profile detects and prevents session exhaustion attacks against specific destinations?

  A. Resource Protection
  B. TCP Port Scan Protection
  C. Packet Based Attack Protection
  D. Packet Buffer Protection
  A. Resource Protection

  ---

  Explanation

  According to the documentation, resource protection detects and prevents session exhaustion attacks against specific destinations. This type of attack uses a large number of hosts to establish as many fully established sessions as possible to consume all of a system's resources. Resource protection defines the maximum number of concurrent connections for a destination IP address or zone.

  References: Security Profile: DoS Protection Profile Palo Alto Networks https://docs.paloaltonetworks.com/network-security/security-policy/security-profiles/security-profile-dos-protection-profile

• Question 470:

  Which two settings can be configured only locally on the firewall and not pushed from a Panorama template or template stack? (Choose two)

  A. HA1 IP Address
  B. Network Interface Type
  C. Master Key
  D. Zone Protection Profile
  A. HA1 IP Address
  C. Master Key

  ---

  Explanation

  https://docs.paloaltonetworks.com/panorama/7-1/panorama-admin/manage-firewalls/template-capabilities-and-exceptions.html# You can use Templates and Template Stacks to define a wide array of settings but you can perform the

  following tasks only locally on each managed firewall:

  Configure a device block list.

  Clear logs.

  Enable operational modes such as normal mode, multi-vsys mode, or FIPS-CC mode. Configure the IP addresses of firewalls in an HA pair.

  Configure a master key and diagnostics.

  Compare configuration files (Config Audit).

  Renaming a vsys on a multi-vsys firewall.