Palo Alto Networks PCNSE Online Practice Questions and Exam Preparation

Palo Alto Networks PCNSE Online Questions & Answers

• Question 481:

  An administrator needs firewall access on a trusted interface. Which two components are required to configure certificate based, secure authentication to the web Ul? (Choose two )

  A. certificate profile
  B. server certificate
  C. SSH Service Profile
  D. SSL/TLS Service Profile
  A. certificate profile
  B. server certificate

  ---

  Explanation

  To configure certificate-based, secure authentication to the web UI, two components are required: a certificate profile and a server certificate. A certificate profile defines the trusted certificate authorities (CAs) for verifying client certificates and server certificates. A server certificate is a digital certificate that identifies the firewall to clients and servers. The firewall can use a self-signed certificate or a certificate signed by an external CA as the server certificate for web UI access. The server certificate must be assigned to an SSL/TLS service profile, which specifies the SSL/TLS protocol version and cipher suites for secure communication. The SSL/TLS service profile must be selected in the general settings of the firewall management interface.

  References: https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/certificate-management/certificate-profiles https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/certificate-management/generate-a-certificate-on-the-firewall https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClFGCA0 https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/certificate-management/ssl-tls-service-profiles https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/firewall-administration/manage-firewall-administrators/configure-administrative-accounts-and-authentication/configure-certificate-based-administrator-authentication-to-the-webinterface

• Question 482:

  A firewall administrator configures the HIP profiles on the edge firewall where GlobalProtect is enabled, and adds the profiles to security rules. The administrator wants to redistribute the HIP reports to the data center firewalls to apply the same access restrictions using HIP profiles. However, the administrator can only see the HIP match logs on the edge firewall but not on the data center firewall

  What are two reasons why the administrator is not seeing HIP match logs on the data center firewall? (Choose two.)

  A. Log Forwarding Profile is configured but not added to security rules in the data center firewall.
  B. HIP profiles are configured but not added to security rules in the data center firewall.
  C. User ID is not enabled in the Zone where the users are coming from in the data center firewall.
  D. HIP Match log forwarding is not configured under Log Settings in the device tab.
  B. HIP profiles are configured but not added to security rules in the data center firewall.
  C. User ID is not enabled in the Zone where the users are coming from in the data center firewall.

  ---

  Explanation

  For HIP match logs to be visible on the data center firewall, the following conditions must be met:

  HIP profiles added to security rules: HIP profiles must be applied to security rules on the data center firewall to enforce access restrictions based on the received HIP reports. If the HIP profiles are not associated with the security rules, the

  firewall will not evaluate traffic against these profiles, and consequently, no HIP match logs will be generated.

  User-ID enabled on the incoming zone: User-ID must be enabled on the zone where the users are located in the data center firewall. The User-ID feature is responsible for mapping IP addresses to user names, which is critical for applying

  policies based on user identity and, by extension, for HIP-based policy enforcement.

  The other options (A and D) are related to logging and log forwarding but would not directly impact the generation or visibility of HIP match logs on the data center firewall itself.

• Question 483:

  A firewall administrator is investigating high packet buffer utilization in the company firewall. After looking at the threat logs and seeing many flood attacks coming from a single source that are dropped a by the firewall, the administrator decides to enable packet butter protection to protect against similar attacks.

  The administrator enables packet buffer protection globally in the firewall but still sees a high packet buffer utilization rate.

  What else should the administrator do to stop packet buffers from being overflowed?

  A. Add the default Vulnerability Protection profile to all security rules that allow traffic from outside.
  B. Enable packet buffer protection for the affected zones.
  C. Add a Zone Protection profile to the affected zones.
  D. Apply DOS profile to security rules allow traffic from outside.
  B. Enable packet buffer protection for the affected zones.

  ---

  Explanation

  https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/zone-protection-and-dos-protection/zone-defense/packet-buffer-protection

• Question 484:

  An administrator has purchased WildFire subscriptions for 90 firewalls globally. What should the administrator consider with regards to the WildFire infrastructure?

  A. To comply with data privacy regulations, WildFire signatures and verdicts are not shared globally.
  B. Palo Alto Networks owns and maintains one global cloud and four WildFire regional clouds.
  C. Each WildFire cloud analyzes samples and generates malware signatures and verdicts independently of the other WildFire clouds.
  D. The WildFire Global Cloud only provides bare metal analysis.
  C. Each WildFire cloud analyzes samples and generates malware signatures and verdicts independently of the other WildFire clouds.

  ---

  Explanation

  Each WildFire cloud--global (U.S.), regional, and private--analyzes samples and generates WildFire verdicts independently of the other WildFire clouds. With the exception of WildFire private cloud verdicts, WildFire verdicts are shared globally, enabling WildFire users to access a worldwide database of threat data. https://docs.paloaltonetworks.com/wildfire/10-1/wildfire-admin/wildfire-overview/wildfire-concepts/verdicts.html

• Question 485:

  Which protocol is natively supported by GlobalProtect Clientless VPN?

  A. HTP
  B. SSH
  C. HTTPS
  D. RDP
  C. HTTPS

  ---

  Explanation

• Question 486:

  An engineer has been given approval to upgrade their environment to the latest of PAN-OS.

  The environment consists of both physical and virtual firewalls, a virtual Panorama HA pair, and virtual log collectors.

  What is the recommended order of operational steps when upgrading?

  A. Upgrade the firewalls, upgrade log collectors, upgrade Panorama
  B. Upgrade the firewalls, upgrade Panorama, upgrade the log collectors
  C. Upgrade the log collectors, upgrade the firewalls, upgrade Panorama
  D. Upgrade Panorama, upgrade the log collectors, upgrade the firewalls
  D. Upgrade Panorama, upgrade the log collectors, upgrade the firewalls

  ---

  Explanation

• Question 487:

  Refer to the exhibit.

  

  Using the above screenshot of the ACC, what is the best method to set a global filter, narrow down Blocked User Activity, and locate the user(s) that could be compromised by a botnet?

  A. Click the hyperlink for the Zero Access.Gen threat.
  B. Click the left arrow beside the Zero Access.Gen threat.
  C. Click the source user with the highest threat count.
  D. Click the hyperlink for the hotport threat Category.
  B. Click the left arrow beside the Zero Access.Gen threat.

  ---

  Explanation

  Hover over an attribute in the table below the chart and click the arrow icon to the right of the attribute. https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/monitoring/use-the-application-command-center/interact-with-the-acc#id5cc39dae-04cf-4936-9916-1a4b0f3179b9

• Question 488:

  Site-A and Site-B need to use IKEv2 to establish a VPN connection. Site A connects directly to the internet using a public IP address. Site-B uses a private IP address behind an ISP router to connect to the internet. How should NAT Traversal be implemented for the VPN connection to be established between Site-A and Site-B?

  A. Enable on Site-A only
  B. Enable on Site-B only
  C. Enable on Site-B only with passive mode
  D. Enable on Site-A and Site-B
  D. Enable on Site-A and Site-B

  ---

  Explanation

• Question 489:

  Several offices are connected with VPNs using static IPv4 routes. An administrator has been tasked with implementing OSPF to replace static routing. Which step is required to accomplish this goal?

  A. Assign an IP address on each tunnel interface at each site
  B. Enable OSPFv3 on each tunnel interface and use Area ID 0.0.0.0
  C. Assign OSPF Area ID 0.0.0.0 to all Ethernet and tunnel interfaces
  D. Create new VPN zones at each site to terminate each VPN connection
  C. Assign OSPF Area ID 0.0.0.0 to all Ethernet and tunnel interfaces

  ---

  Explanation

• Question 490:

  Refer to exhibit.

  

  An organization has Palo Alto Networks NGFWs that send logs to remote monitoring and security management platforms. The network team has reported excessive traffic on the corporate WAN. How could the Palo Alto Networks NGFW administrator reduce WAN traffic while maintaining support for all existing monitoring/ security platforms?

  A. Forward logs from firewalls only to Panorama and have Panorama forward logs to other external services.
  B. Forward logs from external sources to Panorama for correlation, and from Panorama send them to the NGFW.
  C. Configure log compression and optimization features on all remote firewalls.
  D. Any configuration on an M-500 would address the insufficient bandwidth concerns.
  A. Forward logs from firewalls only to Panorama and have Panorama forward logs to other external services.

  ---

  Explanation

  https://docs.paloaltonetworks.com/panorama/8-1/panorama-admin/panorama-overview/centralized-logging-and-reporting https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClKFCA0 "When this has to be done over a WAN link with bandwidth limitation, it is necessary to consider reducing the number of log streams that are sent over the link" "With this configuration, firewalls will forward logs to Panorama, assuming that log

  forwarding was configured correctly on the firewall. The logs are forwarded to the syslog server, thus reducing the number of log streams significantly."