Palo Alto Networks Palo Alto Networks Certifications PCNSE Questions & Answers

• Question 521:

  How can an administrator configure the NGFW to automatically quarantine a device using GlobalProtect?

  A. by adding the device's Host ID to a quarantine list and configure GlobalProtect to prevent users from connecting to the GlobalProtect gateway from a quarantined device

  B. by using security policies, log forwarding profiles, and log settings.

  C. by exporting the list of quarantined devices to a pdf or csv file by selecting PDF/CSV at the bottom of the Device Quarantine page and leveraging the approbate XSOAR playbook

  D. There is no native auto-quarantine feature so a custom script would need to be leveraged.

  Correct Answer: B

  https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-new- features/globalprotect-features/identification-and-quarantine-of-compromised-devices.html https://docs.paloaltonetworks.com/globalprotect/10-1/globalprotect-admin/hostinformation/quarantine-devices-using-host-information/automatically-quarantine-a- device.html#idb42b2b82-b253-4be7-9840-1efa49dba3da

• Question 522:

  When is the content inspection performed in the packet flow process?

  A. after the application has been identified

  B. before session lookup

  C. before the packet forwarding process

  D. after the SSL Proxy re-encrypts the packet

  Correct Answer: C

• Question 523:

  SAML SLO is supported for which two firewall features? (Choose two.)

  A. GlobalProtect Portal

  B. CaptivePortal

  C. WebUI

  D. CLI

  Correct Answer: AC

  SSO is available to administrators who access the web interface and to end users who access applications through GlobalProtect or Captive Portal.

  SLO is available to administrators and GlobalProtect end users, but not to Captive Portal end users.

  https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-admin/authentication/authentication-types/saml

• Question 524:

  On the NGFW. how can you generate and block a private key from export and thus harden your security posture and prevent rogue administrators or other bad actors from misusing keys?

  A. 1.Select Device > Certificate Management > Certificates >Devace > Certificates

  2.

  Import the certificate.

  3.

  Select Import Private Key

  4.

  Click Generate to generate the new certificate

  B. 1. Select Device > Certificates

  2.

  Select Certificate Profile

  3.

  Generate the certificate

  4.

  Select Block Private Key Export.

  C. 1. Select Device > Certificates

  2.

  Select Certificate Profile.

  3.

  Generate the certificate

  4.

  Select Block Private Key Export

  D. 1. Select Device > Certificate Management > Certificates > Device > Certificates

  2.

  Generate the certificate

  3.

  Select Block Private Key Export

  4.

  Click Genet ale to generate the new certificate.

  Correct Answer: D

  https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-new- features/decryption-features/block-export-of-private-keys.html https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/decryption/block-private- key-export

• Question 525:

  Which DoS protection mechanism detects and prevents session exhaustion attacks?

  A. Packet Based Attack Protection

  B. Flood Protection

  C. Resource Protection

  D. TCP Port Scan Protection

  Correct Answer: C

  Reference: https://www.paloaltonetworks.com/documentation/71/pan-os/pan-os/policy/dos- protection-profiles

  In addition to setting IP flood thresholds, you can also use DoS Protection profiles to detect and prevent session exhaustion attacks in which a large number of hosts (bots) establish as many sessions as possible to consume a target's resources. On the profile's Resources Protection tab, you can set the maximum number of concurrent sessions that the device(s) defined in the DoS Protection policy rule to which you apply the profile can receive. When the number of concurrent sessions reaches its maximum limit, new sessions are dropped.

  https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/zone-protection-and-dos- protection/zone-defense/dos-protection-profiles-and-policy-rules/dos-protection- profiles.html

• Question 526:

  A global corporate office has a large-scale network with only one User-ID agent, which creates a bottleneck near the User-ID agent server. Which solution in PAN-OS?software would help in this case?

  A. application override

  B. Virtual Wire mode

  C. content inspection

  D. redistribution of user mappings

  Correct Answer: D

  Reference: https://www.paloaltonetworks.com/documentation/71/pan-os/pan-os/user- id/deploy-user-id-in-a-large-scale-network

• Question 527:

  An administrator has left a firewall to use the default port for all management services. Which three functions are performed by the dataplane? (Choose three.)

  A. WildFire updates

  B. NAT

  C. NTP

  D. antivirus

  E. File blocking

  Correct Answer: BDE

• Question 528:

  The administrator has enabled BGP on a virtual router on the Palo Alto Networks NGFW, but new routes do not seem to be populating the virtual router. Which two options would help the administrator troubleshoot this issue? (Choose two.)

  A. View the System logs and look for the error messages about BGP.

  B. Perform a traffic pcap on the NGFW to see any BGP problems.

  C. View the Runtime Stats and look for problems with BGP configuration.

  D. View the ACC tab to isolate routing issues.

  Correct Answer: BC

  https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClEWCA0

• Question 529:

  If the firewall is configured for credential phishing prevention using the "Domain Credential Filter" method, which login will be detected as credential theft?

  A. Mapping to the IP address of the logged-in user.

  B. First four letters of the username matching any valid corporate username.

  C. Using the same user's corporate username and password.

  D. Marching any valid corporate username.

  Correct Answer: C

  The Windows-based User ID agent is installed on a Read-Only Domain Controller (RODC). The User ID agent collects password hashes that correspond to users for which you want to enable credential detection and sends these mappings to the firewall. The firewall then checks if the source IP address of a session matches a username and if the password submitted to the webpage belongs to that username. With this mode, the firewall blocks or alerts on the submission only when the password submitted matches a user password.

• Question 530:

  An administrator has been asked to configure a Palo Alto Networks NGFW to provide protection against external hosts attempting to exploit a flaw in an operating system on an internal system. Which Security Profile type will prevent this attack?

  A. Vulnerability Protection

  B. Anti-Spyware

  C. URL Filtering

  D. Antivirus

  Correct Answer: A

  Reference: https://www.paloaltonetworks.com/documentation/71/pan-os/web-interface- help/objects/objects-security-profiles- vulnerability-protection