Palo Alto Networks PCNSE Online Practice Questions and Exam Preparation

Palo Alto Networks PCNSE Online Questions & Answers

• Question 491:

  The firewall identifies a popular application as an unknown-tcp.

  Which two options are available to identify the application? (Choose two.)

  A. Create a custom application.
  B. Create a custom object for the custom application server to identify the custom application.
  C. Submit an App-ID request to Palo Alto Networks.
  D. Create a Security policy to identify the custom application.
  A. Create a custom application.
  C. Submit an App-ID request to Palo Alto Networks.

  ---

  Explanation

  https://docs.paloaltonetworks.com/pan-os/7-1/pan-os-admin/app-id/use-application-objects-in-policy/create-a-custom-application

  https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-admin/app-id/manage-custom-or-unknownapplications.html

• Question 492:

  A firewall engineer reviews the PAN-OS GlobalProtect application and sees that it implicitly uses web-browsing and depends on SSL. When creating a new rule, what is needed to allow the application to resolve dependencies?

  A. Add SSL and web-browsing applications to the same rule.
  B. Add web-browsing application to the same rule.
  C. Add SSL application to the same rule.
  D. SSL and web-browsing must both be explicitly allowed.
  C. Add SSL application to the same rule.

  ---

  Explanation

  'Implicitly Uses' has web-browsing listed. This means that if you allow facebook-posting, that it will also be allowing the web-browsing application implicitly.. In our case, we dont know which APP the question referes too but 'Implicitly means already uses HTTP.

• Question 493:

  An administrator needs to gather information about the firewall CPU utiliza-tion on both the management plane and the data plane. Where does the administrator view the desired data?

  A. Application Command and Control Center
  B. Monitor > Utilization
  C. Support > Resources
  D. System Resources Widget on the Dashboard
  D. System Resources Widget on the Dashboard

  ---

  Explanation

  The System Resources widget on the Dashboard in the WebUI shows both the management plane and data plane CPU utilization as well as other system resources such as memory, disk, and session. The other options do not show both the management plane and data plane CPU utilization. The Application Command and Control Center (ACC) shows the network activity and application usage based on traffic logs. The Monitor > Utilization page shows the interface utilization and packet buffer utilization. The Support > Resources page shows the system resources for Panorama only.

  References: https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-web-interface-help/dashboard/dashboard-widgets

  https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-web-interface-help/acc/acc-overview

  https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-web-interface-help/monitor/monitor-utilization

  https://docs.paloaltonetworks.com/panorama/10-2/panorama-web-interface-help/support/support-resources

• Question 494:

  To more easily reuse templates and template slacks , you can create term plate variables in place of firewall-specific and appliance-specific IP literals in your configurations.

  Which one is the correct configuration?

  A. @Panorama
  B. #Pancrama
  C. andPanorama
  D. $Panorama
  D. $Panorama

  ---

  Explanation

  Create a template and template stack using a variable name for an object. Variable names must start with the dollar sign ( "$" ) symbol. For example, you could use $Panorama as a variable for the Panorama IP address that you want to configure on multiple managed firewalls and appliances https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-new-features/panorama-features/configuration-reusability-for-templates-and-template-stacks.html

• Question 495:

  A network administrator wants to deploy GlobalProtect with pre-logon for Windows 10 endpoints and follow Palo Alto Networks best practices. To install the certificate and key for an endpoint, which three components are required? (Choose three.)

  A. server certificate
  B. local computer store
  C. private key
  D. self-signed certificate
  E. machine certificate
  B. local computer store
  D. self-signed certificate
  E. machine certificate

  ---

  Explanation

  https://docs.paloaltonetworks.com/globalprotect/9-0/globalprotect-admin/globalprotect-quick-configs/remote-access-vpn-with-pre-logon.html

• Question 496:

  Which two policy components are required to block traffic in real time using a dynamic user group (DUG)? (Choose two.)

  A. A Deny policy for the tagged traffic
  B. An Allow policy for the initial traffic
  C. A Decryption policy to decrypt the traffic and see the tag
  D. A Deny policy with the "tag" App-ID to block the tagged traffic
  A. A Deny policy for the tagged traffic
  B. An Allow policy for the initial traffic

  ---

  Explanation

  Use the dynamic user group in a policy to regulate traffic for the members of the group. You will need to configure at least two rules: one to allow initial traffic to populate the dynamic user group and one to deny traffic for the activity you want to prevent (in this case, questionable-activity). To tag users, the rule to allow traffic must have a higher rule number in your rulebase than the rule that denies traffic. https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-new-features/user-id-features/dynamic-user-groups https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/policy/use-dynamic-user-groups-in-policy

• Question 497:

  Which three authentication types can be used to authenticate users? (Choose three.)

  A. Local database authentication
  B. PingID
  C. Kerberos single sign-on
  D. GlobalProtect client
  E. Cloud authentication service
  A. Local database authentication
  C. Kerberos single sign-on
  E. Cloud authentication service

  ---

  Explanation

  The three authentication types that can be used to authenticate users are:

  A: Local database authentication. This is the authentication type that uses the local user database on the firewall or Panorama to store and verify user credentials1. C: Cloud authentication service. This is the authentication type that uses a cloud-based identity provider, such as Okta, PingOne, or PingFederate, to authenticate users and provide SAML assertions to the firewall or Panorama2. E: Kerberos single sign-on. This is the authentication type that uses the Kerberos protocol to authenticate users who are logged in to a Windows domain and provide them with seamless access to resources on the firewall or Panorama3.

• Question 498:

  What can be used as an Action when creating a Policy-Based Forwarding (PBF) policy?

  A. Deny
  B. Discard
  C. Allow
  D. Next VR
  B. Discard

  ---

  Explanation

  Set the Action to take when matching a packet:

  Forward-Directs the packet to the specified Egress Interface. Forward to VSYS (On a firewall enabled for multiple virtual systems)--Select the virtual system to which to forward the packet.

  Discard--Drops the packet.

  No PBF-Excludes packets that match the criteria for source, destination, application, or service defined in the rule. Matching packets use the route table instead of PBF; the firewall uses the route table to exclude the matched traffic from the

  redirected port.

  https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/policy/policy-based-forwarding/create-a-policy-based-forwarding-rule#ideca3cc65-03d7-449d-b47a-90fabee5293c

• Question 499:

  A firewall administrator has completed most of the steps required to provision a standalone Palo Alto Networks Next-Generation Firewall. As a final step, the administrator wants to test one of the security policies. Which CLI command syntax will display the rule that matches the test?

  A. test security -policy-match source destination destination port protocol
  B. show security rule source destination destination port protocol
  C. test security rule source destination destination port protocol
  D. show security-policy-match source destination destination port protocol test security-policy-match source
  A. test security -policy-match source destination destination port protocol

  ---

  Explanation

  test security-policy-match source destination protocol https://live.paloaltonetworks.com/t5/Management-Articles/How-to-Test-Which-Security-Policy-Applies-to-a-Traffic-Flow/ta-p/53693

• Question 500:

  What are three prerequisites for credential phishing prevention to function? (Choose three.)

  A. In the URL filtering profile, use the drop-down list to enable user credential detection.
  B. Enable Device-ID in the zone.
  C. Select the action for Site Access for each category.
  D. Add the URL filtering profile to one or more Security policy rules.
  E. Set phishing category to block in the URL Filtering profile.
  A. In the URL filtering profile, use the drop-down list to enable user credential detection.
  D. Add the URL filtering profile to one or more Security policy rules.
  E. Set phishing category to block in the URL Filtering profile.

  ---

  Explanation