Palo Alto Networks PCNSE Online Practice Questions and Exam Preparation

Palo Alto Networks PCNSE Online Questions & Answers

• Question 471:

  In an HA failover scenario what happens with sessions decrypted by a SSL Forward Proxy Decryption policy?

  A. The existing session is transferred to the active firewall.
  B. The firewall drops the session.
  C. The session is sent to fastpath.
  D. The firewall allows the session but does not decrypt the session.
  D. The firewall allows the session but does not decrypt the session.

  ---

  Explanation

  https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/decryption/decryption-concepts/decryption-and-high-availability

• Question 472:

  When configuring the firewall for packet capture, what are the valid stage types?

  A. Receive, management , transmit , and drop
  B. Receive , firewall, send , and non-syn
  C. Receive management , transmit, and non-syn
  D. Receive , firewall, transmit, and drop
  D. Receive , firewall, transmit, and drop

  ---

  Explanation

  https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClTJCA0docs.paloaltonetworks.com/pan-os/8-1/pan-os-web-interface-help/monitor/monitor-packet-capture/packet-capture-overview.html

• Question 473:

  An administrator notices that an interlace configuration has been overridden locally on a firewall. They require an configuration to be managed from Panorama and overrides are not allowed. What is one way the administrator can meet this requirement?

  A. Perform a device-group commit push from Panorama using the "Include Device and Network Templates" option.
  B. Reload the running configuration and perform a Firewall local commit.
  C. Perform a template commit push from Panorama using the "Force Template Values'' option
  D. Perform a commit force from the CLI of the firewall.
  C. Perform a template commit push from Panorama using the "Force Template Values'' option

  ---

  Explanation

  The best way for the administrator to meet the requirement of managing all configuration from Panorama and preventing local overrides is B: Perform a template commit push from Panorama using the "Force Template Values" option. This option allows the administrator to overwrite any local configuration on the firewall with the values defined in the template1. This way, the administrator can ensure that the interface configuration and any other

• Question 474:

  A network security engineer needs to configure a virtual router using IPv6 addresses.

  Which two routing options support these addresses? (Choose two)

  A. BGP not sure
  B. OSPFv3
  C. RIP
  D. Static Route
  B. OSPFv3
  D. Static Route

  ---

  Explanation

  https://live.paloaltonetworks.com/t5/Management-Articles/Does-PAN-OS-Support-Dynamic-Routing-Protocols-OSPF-or-BGP-with/ta-p/62773

• Question 475:

  An administrator has configured the Palo Alto Networks NGFW's management interface to connect to the internet through a dedicated path that does not traverse back through the NGFW itself. Which configuration setting or step will allow the firewall to get automatic application signature updates?

  A. A scheduler will need to be configured for application signatures.
  B. A Security policy rule will need to be configured to allow the update requests from the firewall to the update servers.
  C. A Threat Prevention license will need to be installed.
  D. A service route will need to be configured.
  A. A scheduler will need to be configured for application signatures.

  ---

  Explanation

  https://www.paloaltonetworks.com/documentation/80/pan-os/web-interface-help/device/device-dynamic-updates

• Question 476:

  An administrator is required to create an application-based Security policy rule to allow Evernote.

  The Evernote application implicitly uses SSL and web browsing.

  What is the minimum the administrator needs to configure in the Security rule to allow only Evernote?

  A. Add the Evernote application to the Security policy rule, then add a second Security policy rule containing both HTTP and SSL.
  B. Add the HTTP, SSL, and Evernote applications to the same Security policy
  C. Add only the Evernote application to the Security policy rule.
  D. Create an Application Override using TCP ports 443 and 80.
  C. Add only the Evernote application to the Security policy rule.

  ---

  Explanation

  https://live.paloaltonetworks.com/t5/blogs/what-is-application-dependency/ba-p/344330 To create an application-based Security policy rule to allow Evernote, the administrator only needs to add the Evernote application to the Security policy rule. The Evernote application is a predefined App-ID that identifies the traffic generated by the Evernote client or web interface. The Evernote application implicitly uses SSL and web browsing as dependencies, which means that the firewall automatically allows these applications when the Evernote application is allowed. Therefore, there is no need to add HTTP, SSL, or web browsing applications to the same Security policy rule. Adding these applications would broaden the scope of the rule and potentially allow unwanted traffic12.

  References: App-ID Overview, Create a Security Policy Rule

• Question 477:

  An engineer needs to redistribute User-ID mappings from multiple data centers. Which data flow best describes redistribution of user mappings?

  A. Domain Controller to User-ID agent
  B. User-ID agent to Panorama
  C. User-ID agent to firewall
  D. firewall to firewall
  D. firewall to firewall

  ---

  Explanation

• Question 478:

  What are two characteristic types that can be defined for a variable? (Choose two )

  A. zone
  B. FQDN
  C. path group
  D. IP netmask
  B. FQDN
  D. IP netmask

  ---

  Explanation

  https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-web-interface-help/panorama-web-interface/panorama-templates/panorama-templates-template-variable.html

• Question 479:

  When overriding a template configuration locally on a firewall, what should you consider?

  A. Only Panorama can revert the override
  B. Panorama will lose visibility into the overridden configuration
  C. Panorama will update the template with the overridden value
  D. The firewall template will show that it is out of sync within Panorama
  B. Panorama will lose visibility into the overridden configuration

  ---

  Explanation

  Based on my knowledge out-of-sync message appear on Panorama only was perform a commit to Panorama but not pushed to the NGFW. https://live.paloaltonetworks.com/t5/general-topics/reason-for-out-of-sync-message-in-panorama/tdp/328292

• Question 480:

  Which type of policy in Palo Alto Networks firewalls can use Device-ID as a match condition?

  A. NAT
  B. DOS protection
  C. QoS
  D. Tunnel inspection
  C. QoS

  ---

  Explanation

  The type of policy in Palo Alto Networks firewalls that can use Device-ID as a match condition is QoS. This is because Device-ID is a feature that allows the firewall to identify and classify devices on the network based on their characteristics, such as vendor, model, OS, and role1. QoS policies are used to allocate bandwidth and prioritize traffic based on various criteria, such as application, user, source, destination, and device2. By using Device-ID as a match condition in QoS policies, the firewall can apply different QoS actions to different types of devices, such as IoT devices, laptops, smartphones, etc3. This can help optimize the network performance and ensure the quality of service for critical applications and devices.