Palo Alto Networks Palo Alto Networks Certifications PCNSE Questions & Answers

• Question 511:

  Which data flow describes redistribution of user mappings?

  A. User-ID agent to firewall

  B. firewall to firewall

  C. Domain Controller to User-ID agent

  D. User-ID agent to Panorama

  Correct Answer: B

  https://www.paloaltonetworks.com/documentation/71/pan-os/pan-os/user-id/configure- firewalls-to-redistribute-user-mapping-information https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-admin/user-id/deploy-user-id-in-a- large-scalenetwork/redistribute-user-mappings-and-authentication-timestamps/firewall- deployment-for-user-id-redistribution.html#ide3661b46-4722-4936-bb9b-181679306809

• Question 512:

  Which method does an administrator use to integrate all non-native MFA platforms in PAN- OS?software?

  A. Okta

  B. DUO

  C. RADIUS

  D. PingID

  Correct Answer: C

  https://docs.paloaltonetworks.com/pan-os/8-1/pan-os- admin/authentication/authentication-types/multi-factor-authentication

  For end-user authentication via Authentication Policy, the firewall directly integrates with several MFA platforms (Duo v2, Okta Adaptive, PingID, and RSA SecurID), as well as integrating through RADIUS or SAML for all other MFA platforms.

• Question 513:

  A client has a sensitive application server in their data center and is particularly concerned about session flooding because of denial of-service attacks.

  How can the Palo Alto Networks NGFW be configured to specifically protect this server against session floods originating from a single IP address?

  A. Define a custom App-ID to ensure that only legitimate application traffic reaches the server

  B. Add QoS Profiles to throttle incoming requests

  C. Add a tuned DoS Protection Profile

  D. Add an Anti-Spyware Profile to block attacking IP address

  Correct Answer: C

  https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClmTCAS DoS Protection Profiles set the protection thresholds to provide DoS protection against flooding of new sessions for IP floods (CPS limits) to provide resource protection (maximum concurrent session limits for specified endpoints and resources) and to configure whether the profile applies to aggregate or classified traffic. DoS Protection policy rules control where to apply DoS protection and which action to take when traffic matches the criteria defined in the rule.Unlike a Zone Protection Profile, which protects only the ingress zone, DoS Protection Profiles and policy rules can protect specific resources inside a zone and traffic flowing between different endpoints and areas. Unlike the case with a Zone Protection Profile, which supports only aggregate traffic, you can configure aggregate or classified DoS Protection Profiles and policy rules.

• Question 514:

  Which Security policy rule will allow an admin to block facebook chat but allow Facebook in general?

  A. Deny application facebook-chat before allowing application facebook

  B. Deny application facebook on top

  C. Allow application facebook on top

  D. Allow application facebook before denying application facebook-chat

  Correct Answer: A

  Reference: https://live.paloaltonetworks.com/t5/Configuration-Articles/Failed-to-Block- Facebook-Chat-Consistently/ta-p/115673

• Question 515:

  What should an administrator consider when planning to revert Panorama to a pre-PAN- OS 8.1 version?

  A. Panorama cannot be reverted to an earlier PAN-OS release if variables are used in templates or template stacks.

  B. An administrator must use the Expedition tool to adapt the configuration to the pre-PAN- OS 8.1 state.

  C. When Panorama is reverted to an earlier PAN-OS release, variables used in templates or template stacks will be removed automatically.

  D. Administrators need to manually update variable characters to those used in pre-PAN- OS 8.1.

  Correct Answer: A

  You are unable to downgrade from PAN-OS 8.1 to an earlier PAN-OS release if variables are used in your template or template stack configuration. Variables must be removed from the template and template stack configuration to downgrade.

• Question 516:

  Which feature must you configure to prevent users form accidentally submitting their corporate credentials to a phishing website?

  A. URL Filtering profile

  B. Zone Protection profile

  C. Anti-Spyware profile

  D. Vulnerability Protection profile

  Correct Answer: A

  Reference: https://www.paloaltonetworks.com/documentation/80/pan-os/pan-os/threat- prevention/prevent-credential-phishing

  Phishing attack prevention extends the URL filtering capabilities to actively detect targeted credential phishing attacks through a cloud-based analytics service as well as through heuristics on the device itself.

• Question 517:

  Which menu item enables a firewall administrator to see details about traffic that is currently active through the NGFW?

  A. App Scope

  B. ACC

  C. Session Browser

  D. System Logs

  Correct Answer: C

  Session browser. However ACC will show metadata on traffic through the firewall, and you can create some helpful on-the-fly reports, but these will not provide deep detail. Alternatively for more detail you can go to Monitor > Traffic and filter for relevant sessions.

• Question 518:

  Refer to the exhibit.

  

  An administrator cannot see any of the Traffic logs from the Palo Alto Networks NGFW on Panorama. The configuration problem seems to be on the firewall side. Where is the best place on the Palo Alto Networks NGFW to check whether the configuration is correct?

  

  

  

  

  A. Option A

  B. Option B

  C. Option C

  D. Option D

  Correct Answer: A

  The Panorama address is wrong. Nothing will get to Panorama. The syslog screen shot is not relavent because they say no traffic logs on Panorama. And the screen shot showing no "Log Forwarding" profile is for a single Sec Policy. Every policy needs log forwarding to show up in Panorama. Only valid if a firewall has only 1 rule. And the last screen shot seems like some random Panorama config screen.

• Question 519:

  An administrator needs to upgrade a Palo Alto Networks NGFW to the most current version of PAN-OS?software. The firewall has internet connectivity through an Ethernet interface, but no internet connectivity from the management interface. The Security policy has the default security rules and a rule that allows all web-browsing traffic from any to any zone. What must the administrator configure so that the PAN-OS?software can be upgraded?

  A. Security policy rule

  B. CRL

  C. Service route

  D. Scheduler

  Correct Answer: C

  https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Clp3CAC

• Question 520:

  An administrator deploys PA-500 NGFWs as an active/passive high availability pair. The devices are not participating in dynamic routing and preemption is disabled. What must be verified to upgrade the firewalls to the most recent version of PAN-OS software?

  A. Wildfire update package

  B. User-ID agent

  C. Anti virus update package

  D. Application and Threats update package

  Correct Answer: D

  : Dependencies : Before upgrade, make sure the firewall is running a version of app + threat (content version) that meets the minimum requirement of the new PAN-OS Upgrade. : https://live.paloaltonetworks.com/t5/Featured-Articles/Best-Practices-for-PAN-OS- Upgrade/ta-p/111045

  https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-new-features/upgrade-to-pan-os- 90/upgrade-the-firewall-to-pan-os-90/upgrade-an-ha-firewall-pair-to-pan-os- 90.html#idab14f5f2-f662-4e5c-ba5b-2cc35993e2ec