Palo Alto Networks Palo Alto Networks Certifications PCNSE Questions & Answers

• Question 471:

  The company's Panorama server (IP 10.10.10.5) is not able to manage a firewall that was recently deployed. The firewall's dedicated management port is being used to connect to the management network. Which two commands may be used to troubleshoot this issue from the CLI of the new firewall? (Choose two)

  A. test panoramas-connect 10.10.10.5

  B. show panoramas-status

  C. show arp all I match 10.10.10.5

  D. topdump filter "host 10.10.10.5

  E. debug dataplane packet-diag set capture on

  Correct Answer: BD

• Question 472:

  Which feature prevents the submission of corporate login information into website forms?

  A. Data filtering

  B. User-ID

  C. File blocking

  D. Credential phishing prevention

  Correct Answer: D

  Reference: https://www.paloaltonetworks.com/cyberpedia/how-the-next-generation- security-platform-contributes-to-gdpr-compliance

  "Credential phishing prevention works by scanning username and password submissions to websites and comparing those submissions against valid corporate credentials. You can choose what websites you want to either allow, alert on, or block corporate credential submissions to based on the URL category of the website. Alternatively, you can present a page that warns users against submitting credentials to sites classified in certain URL categories. This gives you the opportunity to educate users against reusing corporate credentials, even on legitimate, non-phishing sites. In the event that corporate credentials are compromised, this feature allows you to identify the user who submitted credentials so that you can remediate."

• Question 473:

  A client is concerned about resource exhaustion because of denial-of-service attacks against their DNS servers. Which option will protect the individual servers?

  A. Enable packet buffer protection on the Zone Protection Profile.

  B. Apply an Anti-Spyware Profile with DNS sinkholing.

  C. Use the DNS App-ID with application-default.

  D. Apply a classified DoS Protection Profile.

  Correct Answer: D

  https://docs.paloaltonetworks.com/pan-os/8-0/pan-os-admin/zone-protection- and-dos-protection/zone-defense/dos-protection-profiles-and-policy-rules/dos-protection- profiles

  To protect critical web or DNS servers on your network, protect the individual servers. To do this, set appropriate flooding and resource protection thresholds in a DoS protection profile, and create a DoS protection policy rule that applies the profile to each server's IP address by adding the IP addresses as the rule's destination criteria.

• Question 474:

  Which is not a valid reason for receiving a decrypt-cert-validation error?

  A. Unsupported HSM

  B. Unknown certificate status

  C. Client authentication

  D. Untrusted issuer

  Correct Answer: A

  Per the link https://docs.paloaltonetworks.com/pan-os/7-1/pan-os-new- features/networking-features/ssl-ssh-session-end-reasons , receiving the decrypt-cert-validation error is valid for the following conditions: expired, untrusted issuer, unknown status, or status verification time-out. "Unsupported HSM" is not a valid reason for receiving a decrypt-cert-validation error.

• Question 475:

  When configuring a GlobalProtect Portal, what is the purpose of specifying an Authentication Profile?

  A. To enable Gateway authentication to the Portal

  B. To enable Portal authentication to the Gateway

  C. To enable user authentication to the Portal

  D. To enable client machine authentication to the Portal

  Correct Answer: C

  The additional options of Browser and Satellite enable you to specify the authentication profile to use for specific scenarios. Select Browser to specify the authentication profile to use to authenticate a user accessing the portal from a web browser with the intent of downloading the GlobalProtect agent (Windows and Mac). Select Satellite to specify the authentication profile to use to authenticate the satellite. Reference https://www.paloaltonetworks.com/documentation/71/panos/web-interface- help/globalprotect/network-globalprotect-portals

• Question 476:

  A customer wants to set up a VLAN interface for a Layer 2 Ethernet port.

  Which two mandatory options are used to configure a VLAN interface? (Choose two.)

  A. Virtual router

  B. Security zone

  C. ARP entries

  D. Netflow Profile

  Correct Answer: AB

  Reference: https://www.paloaltonetworks.com/documentation/80/pan-os/web-interface- help/network/network-interfaces/pa-7000-series- layer-2-interface#idd2bcaacc-54b9-4ec9- a1dd-8064499f5b9d

  https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClRqCAK

  VLAN interface is not necessary but in this scenarion we assume it is. Create VLAN object, VLAN interface and VLAN Zone. Attach VLAN interface to VLAN object together with two L2 interfaces then attach VLAN interface to virtual router. Without VLAN interface you can pass traffic between interfaces on the same network and with VLAN interface you can route traffic to other networks.

• Question 477:

  SD-WAN is designed to support which two network topology types? (Choose two.)

  A. ring

  B. point-to-point

  C. hub-and-spoke

  D. full-mesh

  Correct Answer: CD

  https://docs.paloaltonetworks.com/plugins/vm-series-and-panorama-plugins- release-notes/panorama-plugin-for-sd-wan/sd-wan-plugin-200/features-introduced-in-sd- wan-2-0.html https://www.paloaltonetworks.nl/apps/pan/public/ downloadResource?pagePath=/content/p an/en_US/resources/guides/pan-os-secure-sd-wan-deployment-guide

• Question 478:

  An administrator wants a new Palo Alto Networks NGFW to obtain automatic application updates daily, so it is configured to use a scheduler for the application database. Unfortunately, they required the management network to be isolated so that it cannot reach the internet. Which configuration will enable the firewall to download and install application updates automatically?

  A. Configure a Policy Based Forwarding policy rule for the update server IP address so that traffic sourced from themanagement interfaced destined for the update servers goes out of the interface acting as your internet connection.

  B. Configure a security policy rule to allow all traffic to and from the update servers.

  C. Download and install application updates cannot be done automatically if the MGT port cannot reach the internet.

  D. Configure a service route for Palo Alto networks services that uses a dataplane interface that can route traffic to the internet, and create a security policy rule to allow the traffic from that interface to the update servers if necessary.

  Correct Answer: D

  "By default, the firewall uses management interface to communicate to various servers including DNS, Email, Palo Alto Updates, User-ID agent, Syslog, Panorama etc. Service routes are used so that the communication between the firewall and servers go through the dataplane."https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g00000 0ClGJCA0 "The firewall uses the service route to connect to the Update Server and checks for new content release versions and, if there are updates available, displays them at the top of the list."https://docs.paloaltonetworks.com/pan-os/7-1/pan-osweb-interface- help/device/device-dynamic-updates#

• Question 479:

  Which virtual router feature determines if a specific destination IP address is reachable?

  A. Heartbeat Monitoring

  B. Failover

  C. Path Monitoring

  D. Ping-Path

  Correct Answer: C

  Reference: https://www.paloaltonetworks.com/documentation/71/pan-os/pan-os/policy/pbf

  https://docs.paloaltonetworks.com/pan-os/8-0/pan-os-admin/policy/policy-based- forwarding/pbf/path-monitoring-for-pbf

• Question 480:

  A company needs to preconfigure firewalls to be sent to remote sites with the least amount of reconfiguration. Once deployed, each firewall must establish secure tunnels back to multiple regional data centers to include the future regional data centers.

  Which VPN configuration would adapt to changes when deployed to the future site?

  A. Preconfigured GlobalProtect satellite

  B. Preconfigured GlobalProtect client

  C. Preconfigured IPsec tunnels

  D. Preconfigured PPTP Tunnels

  Correct Answer: A

  https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/large-scale- vpn-lsvpn/configure-the-globalprotect-portal-for-lsvpn/define-the-satellite- configurations.html