Palo Alto Networks Palo Alto Networks Certifications PCNSE Questions & Answers

• Question 481:

  An Administrator is configuring Authentication Enforcement and they would like to create an exemption rule to exempt a specific group from authentication. Which authentication enforcement object should they select?

  A. default-browser-challenge

  B. default-authentication-bypass

  C. default-web-format

  D. default-no-captive-portal

  Correct Answer: D

  https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-web-interface-help/objects/objects- authentication.html

• Question 482:

  Which feature can provide NGFWs with User-ID mapping information?

  A. Web Captcha

  B. Native 802.1q authentication

  C. GlobalProtect

  D. Native 802.1x authentication

  Correct Answer: C

• Question 483:

  Which three settings are defined within the Templates object of Panorama? (Choose three.)

  A. Setup

  B. Virtual Routers

  C. Interfaces

  D. Security

  E. Application Override

  Correct Answer: ABC

• Question 484:

  What file type upload is supported as part of the basic WildFire service?

  A. PE

  B. BAT

  C. VBS

  D. ELF

  Correct Answer: A

  https://docs.paloaltonetworks.com/wildfire/9-1/wildfire-admin/wildfire- overview/wildfire-subscription.html

• Question 485:

  Which protection feature is available only in a Zone Protection Profile?

  A. SYN Flood Protection using SYN Flood Cookies

  B. ICMP Flood Protection

  C. Port Scan Protection

  D. UDP Flood Protections

  Correct Answer: C

  Configure one of the following Reconnaissance Protection actions for the firewall to take in response to the corresponding reconnaissance attempt:Allow--The firewall allows the port scan or host sweep reconnaissance to continue. SYN Flood Cookies is also available on DoS Protection Profile, the answer refers to ONLY. DoS Protection profiles protect specific devices (classified profiles) and groups of devices (aggregate profiles) against SYN, UDP, ICMP, ICMPv6, and Other IP flood attacks.

  https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-web-interface- help/network/network-network-profiles/network-network-profiles-zone- protection/reconnaissance-protection.html#ida0512c75-ed54-4b31-8d2c-9f459466d4d2 Port scan protection = Reconnaissance Protection That can only be done in a Zone Protection Profile. That's meant to be configured on an external-facing interface to protect the entire attack surface. DOS Protection profiles are meant to be configured on internal-facing interfaces to protect a specific server or group of servers from flood attacks, including SYN Flood. https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-admin/zone-protection-and- dos-protection/configure-zone-protection-to-increase-network-security/configure- reconnaissance-protection

• Question 486:

  Refer to the exhibit.

  

  Which certificates can be used as a Forwarded Trust certificate?

  A. Certificate from Default Trust Certificate Authorities

  B. Domain Sub-CA

  C. Forward_Trust

  D. Domain-Root-Cert

  Correct Answer: B

  The SSL Forward Proxy certificate must be a trusted CA certificate with private key. In order to use this cert as a Forward Proxy certificate, you must open the certificate and select the checkbox to enable it as a Forward Trust Certificate. See the following doc, Step 2 number 5: https://docs.paloaltonetworks.com/pan-os/10-0/pan-os- admin/decryption/configure-ssl-forward-proxy.html

• Question 487:

  Which two actions would be part of an automatic solution that would block sites with untrusted certificates without enabling SSL Forward Proxy? (Choose two.)

  A. Create a no-decrypt Decryption Policy rule.

  B. Configure an EDL to pull IP addresses of known sites resolved from a CRL.

  C. Create a Dynamic Address Group for untrusted sites

  D. Create a Security Policy rule with vulnerability Security Profile attached.

  E. Enable the "Block sessions with untrusted issuers" setting.

  Correct Answer: AE

  https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/decryption/decryption-concepts/no-decryption-decryption-profile

• Question 488:

  Where can an administrator see both the management plane and data plane CPU utilization in the WebUI?

  A. System log

  B. CPU Utilization widget

  C. Resources widget

  D. System Utilization log

  Correct Answer: C

  System Resources (widget)Displays the Management CPU usage, Data Plane usage, and the Session Count (the number of sessions established through the firewall or Panorama).https://docs.paloaltonetworks.com/pan-os/8-0/pan-os-webinterface- help/dashboard/dashboard-widgets#

• Question 489:

  How would an administrator monitor/capture traffic on the management interface of the Palo Alto Networks NGFW?

  A. Use the debug dataplane packet-diag set capture stage firewall file command.

  B. Enable all four stages of traffic capture (TX, RX, DROP, Firewall).

  C. Use the debug dataplane packet-diag set capture stage management file command.

  D. Use the tcpdump command.

  Correct Answer: D

  Reference: https://live.paloaltonetworks.com/t5/Learning-Articles/How-to-Run-a-Packet- Capture/ta-p/62390 https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/monitoring/take-packet- captures/take-a-packet-capture-on-the-management-interface.html

• Question 490:

  A global corporate office has a large-scale network with only one User-ID agent, which creates a bottleneck near the User-ID agent server. Which solution in PAN-OS?software would help in this case?

  A. Application override

  B. Redistribution of user mappings

  C. Virtual Wire mode

  D. Content inspection

  Correct Answer: B

  https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/user-id/deploy- user-id-in-a-large-scale-network.html