Palo Alto Networks Palo Alto Networks Certifications PCNSE Questions & Answers

• Question 461:

  A Palo Alto Networks firewall is being targeted by an NTP Amplification attack and is being flooded with tens thousands of bogus UDP connections per second to a single destination IP address and post. Which option when enabled with the correction threshold would mitigate this attack without dropping legitirnate traffic to other hosts insides the network?

  A. Zone Protection Policy with UDP Flood Protection

  B. QoS Policy to throttle traffic below maximum limit

  C. Security Policy rule to deny trafic to the IP address and port that is under attack

  D. Classified DoS Protection Policy using destination IP only with a Protect action

  Correct Answer: D

• Question 462:

  Company.com has an in-house application that the Palo Alto Networks device doesn't identify correctly. A Threat Management Team member has mentioned that this in-house application is very sensitive and all traffic being identified needs to be inspected by the Content-ID engine.

  Which method should company.com use to immediately address this traffic on a Palo Alto Networks device?

  A. Create a custom Application without signatures, then create an Application Override policy that includes the source, Destination, Destination Port/Protocol and Custom Application of the traffic.

  B. Wait until an official Application signature is provided from Palo Alto Networks.

  C. Modify the session timer settings on the closest referanced application to meet the needs of the in-house application

  D. Create a Custom Application with signatures matching unique identifiers of the in-house application traffic

  Correct Answer: D

• Question 463:

  A firewall administrator has completed most of the steps required to provision a standalone Palo Alto Networks Next-Generation Firewall. As a final step, the administrator wants to test one of the security policies. Which CLI command syntax will display the rule that matches the test?

  A. test security -policy- match source destination destination port protocol

  B. show security rule source destination destination port protocol

  C. test security rule source destination destination port protocol

  D. show security-policy-match source destination destination port protocol test security-policy-match source

  Correct Answer: A

  test security-policy-match source destination protocol https://live.paloaltonetworks.com/t5/Management-Articles/How-to-Test-Which-Security- Policy-Applies-to-a-Traffic-Flow/ta-p/53693

• Question 464:

  An administrator needs to determine why users on the trust zone cannot reach certain websites. The only information available is shown on the following image. Which configuration change should the administrator make?

  

  A. Option A

  B. Option B

  C. Option C

  D. Option D

  E. Option E

  Correct Answer: B

• Question 465:

  An administrator needs to optimize traffic to prefer business-critical applications over non- critical applications. QoS natively integrates with which feature to provide service quality?

  A. Port Inspection

  B. Certificate revocation

  C. Content-ID

  D. App-ID

  Correct Answer: D

  Reference: https://www.paloaltonetworks.com/documentation/71/pan-os/pan-os/quality-of- service/qos-for-applications-and-users

• Question 466:

  What are the two behavior differences between Highlight Unused Rules and the Rule Usage Hit counter when a firewall is rebooted? (Choose two.)

  A. Rule Usage Hit counter will not be reset

  B. Highlight Unused Rules will highlight all rules.

  C. Highlight Unused Rules will highlight zero rules.

  D. Rule Usage Hit counter will reset.

  Correct Answer: AB

  https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClVICA0 "Notice how the rules looks after selecting "Highlight Unused Rules." You can now see exactly what rules have and have not been used since the last reboot."

• Question 467:

  A company wants to install a PA-3060 firewall between two core switches on a VLAN trunk link. They need to assign each VLAN to its own zone and to assign untagged (native) traffic to its own zone which options differentiates multiple VLAN into separate zones?

  A. Create V-Wire objects with two V-Wire interfaces and define a range of "0-4096 in the "Tag Allowed" field of the V-Wire object.

  B. Create V-Wire objects with two V-Wire subinterfaces and assign only a single VLAN ID to the Tag Allowed" field of the V-Wire object. Repeat for every additional VLAN and use a VLAN ID of 0 for untagged traffic. Assign each interface/sub interface to a unique zone.

  C. Create Layer 3 subinterfaces that are each assigned to a single VLAN ID and a common virtual router. The physical Layer 3 interface would handle untagged traffic. Assign each interface/subinterface tA. unique zone. Do not assign any interface an IP address.

  D. Create VLAN objects for each VLAN and assign VLAN interfaces matching each VLAN ID. Repeat for every additional VLAN and use a VLAN ID of 0 for untagged traffic. Assign each interface/sub interface to a unique zone.

  Correct Answer: B

  https://docs.paloaltonetworks.com/pan-os/9-0/pan-os- admin/networking/configure-interfaces/virtual-wire-interfaces/vlan-tagged-traffic Virtual wire interfaces by default allow all untagged traffic. You can, however, use a virtual wire to connect two interfaces and configure either interface to block or allow traffic based on the virtual LAN (VLAN) tags. VLAN tag 0 indicates untagged traffic.You can also create multiple subinterfaces, add them into different zones, and then classify traffic according to a VLAN tag or a combination of a VLAN tag with IP classifiers (address, range, or subnet) to apply granular policy control for specific VLAN tags or for VLAN tags from a specific source IP address, range, or subnet.

• Question 468:

  Starting with PAN-OS version 9.1, application dependency information is now reported in which new locations? (Choose two.)

  A. On the App Dependency tab in the Commit Status window

  B. On the Application tab in the Security Policy Rule creation window

  C. On the Objects > Applications browsers pages

  D. On the Policy Optimizer's Rule Usage page

  Correct Answer: AB

  https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/app-id/use- application-objects-in-policy/resolve-application-dependencies.html

• Question 469:

  Which three items are import considerations during SD-WAN configuration planning? (Choose three.)

  A. link requirements

  B. the name of the ISP

  C. IP Addresses

  D. branch and hub locations

  Correct Answer: ACD

  https://docs.paloaltonetworks.com/sd-wan/1-0/sd-wan-admin/sd-wan- overview/plan-sd-wan-configuration

• Question 470:

  A company has a pair of Palo Alto Networks firewalls configured as an Acitve/Passive High Availability (HA) pair. What allows the firewall administrator to determine the last date a failover event occurred?

  A. From the CLI issue use the show System log

  B. Apply the filter subtype eq ha to the System log

  C. Apply the filter subtype eq ha to the configuration log

  D. Check the status of the High Availability widget on the Dashboard of the GUI

  Correct Answer: B