Palo Alto Networks Palo Alto Networks Certifications PCNSE Questions & Answers

• Question 501:

  Which Captive Portal mode must be configured to support MFA authentication?

  A. NTLM

  B. Redirect

  C. Single Sign-On

  D. Transparent

  Correct Answer: B

  Reference: https://www.paloaltonetworks.com/documentation/80/pan-os/pan- os/authentication/configure-multi-factor-authentication

• Question 502:

  An administrator has enabled OSPF on a virtual router on the NGFW. OSPF is not adding new routes to the virtual router. Which two options enable the administrator to troubleshoot this issue? (Choose two.)

  A. View Runtime Stats in the virtual router.

  B. View System logs.

  C. Add a redistribution profile to forward as BGP updates.

  D. Perform a traffic pcap at the routing stage.

  Correct Answer: AB

  https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000CldcCAC

• Question 503:

  Which method will dynamically register tags on the Palo Alto Networks NGFW?

  A. Restful API or the VMWare API on the firewall or on the User-ID agent or the read-only domain controller (RODC)

  B. Restful API or the VMware API on the firewall or on the User-ID agent

  C. XML-API or the VMware API on the firewall or on the User-ID agent or the CLI

  D. XML API or the VM Monitoring agent on the NGFW or on the User-ID agent

  Correct Answer: D

  Reference: https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/policy/monitor- changes-in-the-virtual-environment/use-dynamic-address-groups-in-policy.html

  dynamically register tags, you can use the XML API or the VM Monitoring agent on the firewall or on the User-ID agent. Each tag is a metadata element or attribute-value pair that is registered on the firewall or Panorama. For example, IP1 {tag1, tag2,.....tag32}, w"

• Question 504:

  An administrator has been asked to configure active/passive HA for a pair of Palo Alto Networks NGFWs. The administrator assigns priority 100 to the active firewall. Which priority is correct for the passive firewall?

  A. 0

  B. 99

  C. 1

  D. 255

  Correct Answer: D

  Reference:

  https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/framemaker/71/pan- os/pan-os/section_5.pdf (page 9)

  https://docs.paloaltonetworks.com/content/dam/techdocs/en_US/pdf/pan-os/10-0/pan-os- admin/pan-os-admin.pdf page 315

• Question 505:

  In the following image from Panorama, why are some values shown in red?

  

  A. sg2 session count is the lowest compared to the other managed devices.

  B. us3 has a logging rate that deviates from the administrator-configured thresholds.

  C. uk3 has a logging rate that deviates from the seven-day calculated baseline.

  D. sg2 has misconfigured session thresholds.

  Correct Answer: C

  "The Deviating Devices tab displays devices that have any metrics that are deviating from their calculated baseline and displays those deviating metrics in red. A metric health baseline is determined by averaging the health performance for a given metric over seven days plus the standard deviation." https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-web-interface-help/panorama-web- interface/panorama-managed-devices-summary/panorama-managed-devices-health

• Question 506:

  Refer to the exhibit.

  

  An administrator is using DNAT to map two servers to a single public IP address. Traffic will be steered to the specific server based on the application, where Host A (10.1.1.100) receives HTTP traffic and HOST B (10.1.1.101) receives SSH traffic.)

  Which two security policy rules will accomplish this configuration? (Choose two.)

  A. Untrust (Any) to DMZ (10.1.1.100.10.1.1.101), ssh, web-browsing - Allow

  B. Untrust (Any) to DMZ (1.1.1.100), web-browsing - Allow

  C. Untrust (Any) to Untrust (10.1.1.1), web-browsing - Allow

  D. Untrust (Any) to Untrust (10.1.1.1), SSH - Allow

  E. Untrust (Any) to DMZ (1.1.1.100), SSH - Allow

  Correct Answer: BE

  https://docs.paloaltonetworks.com/pan-os/8-0/pan-os- admin/networking/nat/nat-configuration-examples/destination-nat-exampleone-to-many- mapping#

• Question 507:

  Based on the following image,

  

  what is the correct path of root, intermediate, and end-user certificate?

  A. Palo Alto Networks > Symantec > VeriSign

  B. Symantec > VeriSign > Palo Alto Networks

  C. VeriSign > Palo Alto Networks > Symantec

  D. VeriSign > Symantec > Palo Alto Networks

  Correct Answer: D

• Question 508:

  When backing up and saving configuration files, what is achieved using only the firewall and is not available in Panorama?

  A. Load named configuration snapshot

  B. Load configuration version

  C. Save candidate config

  D. Export device state

  Correct Answer: D

• Question 509:

  Which feature can provide NGFWs with User-ID mapping information?

  A. GlobalProtect

  B. Web Captcha

  C. Native 802.1q authentication

  D. Native 802.1x authentication

  Correct Answer: A

  https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-admin/user-id/user-id- concepts/user-mapping.html

• Question 510:

  VPN traffic intended for an administrator's Palo Alto Networks NGFW is being maliciously intercepted and retransmitted by the interceptor. When creating a VPN tunnel, which protection profile can be enabled to prevent this malicious behavior?

  A. Zone Protection

  B. Replay

  C. Web Application

  D. DoS Protection

  Correct Answer: B

  https://docs.paloaltonetworks.com/pan-os/8-0/pan-os-admin/vpns/set-up- site-to-site-vpn/set-up-an-ipsec-tunnel#