Palo Alto Networks PCNSE Online Practice Questions and Exam Preparation

Palo Alto Networks PCNSE Online Questions & Answers

• Question 511:

  A new firewall has the Threat Prevention subscription, but the Antivirus does not appear in Dynamic Updates.

  What must occur to have Antivirus signatures update?

  A. An Antivirus license is needed first, then a Security profile for Antivirus needs to be created.
  B. An Antivirus license must be obtained before Dynamic Updates can be downloaded or installed.
  C. An Advanced Threat Prevention license is required to see the Dynamic Updates for Antivirus.
  D. Install the Application and Threats updates first, then refresh the Dynamic Updates.
  D. Install the Application and Threats updates first, then refresh the Dynamic Updates.

  ---

  Explanation

• Question 512:

  An administrator has two pairs of firewalls within the same subnet. Both pairs of firewalls have been configured to use High Availability mode with Active/Passive. The ARP tables for upstream routes display the same MAC address being shared for some of these firewalls.

  What can be configured on one pair of firewalls to modify the MAC addresses so they are no longer in conflict?

  A. Configure a floating IP between the firewall pairs.
  B. Change the Group IDs in the High Availability settings to be different from the other firewall pair on the same subnet.
  C. Change the interface type on the interfaces that have conflicting MAC addresses from L3 to VLAN.
  D. On one pair of firewalls, run the CLI command: set network interface vlan arp.
  B. Change the Group IDs in the High Availability settings to be different from the other firewall pair on the same subnet.

  ---

  Explanation

  https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Cm1OCA S change the Group IDs in the High Availability settings to be different from the other firewall pair on the same subnet. This will prevent the MAC addresses from conflicting and allow the firewalls to properly route traffic. You can also configure a floating IP between the firewall pairs if necessary.

• Question 513:

  Which two benefits come from assigning a Decryption Profile to a Decryption policy rule with a "No Decrypt" action? (Choose two.)

  A. Block sessions with expired certificates
  B. Block sessions with client authentication
  C. Block sessions with unsupported cipher suites
  D. Block sessions with untrusted issuers
  E. Block credential phishing
  A. Block sessions with expired certificates
  D. Block sessions with untrusted issuers

  ---

  Explanation

  https://www.paloaltonetworks.com/documentation/71/pan-os/pan-os/decryption/configure-decryption-exceptions Block sessions based on certificate status, including blocking sessions with expired certificates, untrusted issuers, unknown certificate status, certificate status check timeouts, and certificate extensions. Block sessions with unsupported versions and cipher suites, and that require using client authentication. <--this req client Auth, which is not stated Block sessions if the resources to perform decryption are not available or if a hardware security module is not available to sign certificates. Define the protocol versions and key exchange, encryption, and authentication algorithms allowed for SSL Forward Proxy and SSL Inbound Inspection traffic in the SSL Protocol Settings.

• Question 514:

  An engineer must configure the Decryption Broker feature.

  Which Decryption Broker security chain supports bi-directional traffic flow?

  A. Layer 2 security chain
  B. Layer 3 security chain
  C. Transparent Bridge security chain
  D. Transparent Proxy security chain
  B. Layer 3 security chain

  ---

  Explanation

  Together, the primary and secondary interfaces form a pair of decryption forwarding interfaces. Only interfaces that you have enabled to be Decrypt Forward interfaces are displayed here. Your security chain type (Layer 3 or Transparent Bridge) and the traffic flow direction (unidirectional or bidirectional) determine which of the two interfaces forwards allowed, clear text traffic to the security chain, and which interface receives the traffic back from the security chain after it has undergone additional enforcement.

• Question 515:

  A firewall administrator wants to be able to see all NAT sessions that are going through a firewall with source NAT. Which CLI command can the administrator use?

  A. show session all filter nat source
  B. show running nat-rule-ippool rule "rule_name"
  C. show running nat-policy
  D. show session all filter nat-rule-source
  A. show session all filter nat source

  ---

  Explanation

• Question 516:

  Where is information about packet buffer protection logged?

  A. Alert entries are in the Alarms log Entries for dropped traffic, discarded sessions, and blocked IP address are in the Threat log
  B. All entries are in the System log
  C. Alert entries are in the System log Entries for dropped traffic, discarded sessions and blocked IP addresses are in the Threat log
  D. All entries are in the Alarms log
  C. Alert entries are in the System log Entries for dropped traffic, discarded sessions and blocked IP addresses are in the Threat log

  ---

  Explanation

  The firewall records alert events in the System log, and records events for dropped traffic, discarded sessions, and blocked IP address in the Threat log.

  https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/zone-protection-and-dos-protection/configure-zone-protection-to-increase-network-security/configure-packet-buffer-protection

  https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PNGFCA4

• Question 517:

  Which three options does Panorama offer for deploying dynamic updates to its managed devices? (Choose three.)

  A. Check dependencies
  B. Schedules
  C. Verify
  D. Revert content
  E. Install
  B. Schedules
  D. Revert content
  E. Install

  ---

  Explanation

  https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-web-interface-help/panorama-web-interface/panorama-device-deployment/panorama-dynamic-updates-revert-content

• Question 518:

  An administrator has created an SSL Decryption policy rule that decrypts SSL sessions on any port. Which log entry can the administrator use to verify that sessions are being decrypted?

  A. In the details of the Traffic log entries
  B. Decryption log
  C. Data Filtering log
  D. In the details of the Threat log entries
  A. In the details of the Traffic log entries

  ---

  Explanation

  https://live.paloaltonetworks.com/t5/Configuration-Articles/How-to-Implement-and-Test-SSL-Decryption/ta-p/59719 https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClboCAC The Question is simply asking how to verify if traffic was being decrypted. There are (2) ways to see this in the traffic logs:

  1.To confirm that the traffic is decrypted inside the WebGUI > Monitor > Logs > Traffic. Click the magnifying glass icon in the traffic log entries to confirm that the connections were decrypted.

  2.Another way to validate the decrypted session is by enabling the column "Decrypted" as below Traffic logs . This can be done by clicking on the arrow down next to any column title and selecting the Columns > Decrypted. This shows decrypted status in regular traffic log view.

• Question 519:

  A company has a pair of Palo Alto Networks firewalls configured as an Acitve/Passive High Availability (HA) pair. What allows the firewall administrator to determine the last date a failover event occurred?

  A. From the CLI issue use the show System log
  B. Apply the filter subtype eq ha to the System log
  C. Apply the filter subtype eq ha to the configuration log
  D. Check the status of the High Availability widget on the Dashboard of the GUI
  B. Apply the filter subtype eq ha to the System log

  ---

  Explanation

• Question 520:

  What must be taken into consideration when preparing a log forwarding design for all of a customer's deployed Palo Alto Networks firewalls?

  A. The logs will not contain the names of the identified applications unless the "Enable enhanced application logging" option is selected
  B. Traffic and threat logs will not be forwarded unless the relevant Log Forwarding profile is attached to the security rules
  C. App-ID engine will not identify any application traffic unless the "Enable enhanced application logging" option is selected
  D. Traffic and threat logs will not be forwarded unless the relevant Log Forwarding profile is selected in "Logging and Reporting Settings"
  B. Traffic and threat logs will not be forwarded unless the relevant Log Forwarding profile is attached to the security rules

  ---

  Explanation

  For log forwarding in PAN-OS, traffic and threat logs require a Log Forwarding profile attached to Security rules (Option B) to send logs to external systems (e.g., syslog, Panorama). Without this, logs are stored locally but not forwarded, a

  critical design consideration.

  PAN-OS 11.2 Administrator's Guide, "Policies" section -Log Forwarding Profiles.