Palo Alto Networks PCNSE Online Practice Questions and Exam Preparation

Palo Alto Networks PCNSE Online Questions & Answers

• Question 521:

  Which three methods are supported for split tunneling in the GlobalProtect Gateway? (Choose three.)

  A. Video Streaming Application
  B. Destination Domain
  C. Client Application Process
  D. Source Domain
  E. URL Category
  B. Destination Domain
  C. Client Application Process
  E. URL Category

  ---

  Explanation

  The GlobalProtect Gateway supports three methods for split tunneling:

  Access Route --You can define a list of IP addresses or subnets that are accessible through the VPN tunnel. All other traffic goes directly to the internet. Domain and Application --You can define a list of domains or applications that are

  accessible through the VPN tunnel. All other traffic goes directly to the internet. You can also use this method to exclude specific domains or applications from the VPN tunnel. Video Traffic --You can exclude video streaming traffic from the

  VPN tunnel based on predefined categories or custom URLs. This method reduces latency and jitter for video streaming applications.

• Question 522:

  An Administrator is configuring an IPSec VPN toa Cisco ASA at the administrator's home and experiencing issues completing the connection. The following is th output from the command:

  less mp-log ikemgr.log:

  

  What could be the cause of this problem?

  A. The public IP addresse do not match for both the Palo Alto Networks Firewall and the ASA.
  B. The Proxy IDs on the Palo Alto Networks Firewall do not match the settings on the ASA.
  C. The shared secerts do not match between the Palo Alto firewall and the ASA
  D. The deed peer detection settings do not match between the Palo Alto Networks Firewall and the ASA
  B. The Proxy IDs on the Palo Alto Networks Firewall do not match the settings on the ASA.

  ---

  Explanation

• Question 523:

  Which statement explains the difference between using the PAN-OS integrated User-ID agent and the standalone User-ID agent when using Active Directory for user-to-IP mapping?

  A. The PAN-OS integrated User-ID agent must be a member of the Active Directory domain
  B. The PAN-OS integrated User-ID agent consumes fewer resources on the NGFW's management CPU
  C. The standalone User-ID agent consumes fewer resources on the NGFW's management CPU
  D. The standalone User-ID agent must run directly on the domain controller server
  C. The standalone User-ID agent consumes fewer resources on the NGFW's management CPU

  ---

  Explanation

  PAN-OS 11.2 Administrator's Guide, "User-ID" section -Integrated vs. Standalone Agent.

• Question 524:

  SD-WAN is designed to support which two network topology types? (Choose two.)

  A. ring
  B. point-to-point
  C. hub-and-spoke
  D. full-mesh
  C. hub-and-spoke
  D. full-mesh

  ---

  Explanation

  https://docs.paloaltonetworks.com/plugins/vm-series-and-panorama-plugins-release-notes/panorama-plugin-for-sd-wan/sd-wan-plugin-200/features-introduced-in-sd-wan-2-0.html https://www.paloaltonetworks.nl/apps/pan/public/ downloadResource?pagePath=/content/p an/en_US/resources/guides/pan-os-secure-sd-wan-deployment-guide

• Question 525:

  Which data flow describes redistribution of user mappings?

  A. User-ID agent to firewall
  B. firewall to firewall
  C. Domain Controller to User-ID agent
  D. User-ID agent to Panorama
  B. firewall to firewall

  ---

  Explanation

  https://www.paloaltonetworks.com/documentation/71/pan-os/pan-os/user-id/configure-firewalls-to-redistribute-user-mapping-information https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-admin/user-id/deploy-user-id-in-a-large-scalenetwork/redistribute-user-mappings-and-authentication-timestamps/firewall-deployment-for-user-id-redistribution.html#ide3661b46-4722-4936-bb9b-181679306809

• Question 526:

  A company has recently migrated their branch office's PA-220S to a centralized Panorama. This Panorama manages a number of PA-7000 Series and PA-5200 Series devices All device group and template configuration is managed solely within Panorama

  They notice that commit times have drastically increased for the PA-220S after the migration

  What can they do to reduce commit times?

  A. Disable "Share Unused Address and Service Objects with Devices" in Panorama Settings.
  B. Update the apps and threat version using device-deployment
  C. Perform a device group push using the "merge with device candidate config" option
  D. Use "export or push device config bundle" to ensure that the firewall is integrated with the Panorama config.
  A. Disable "Share Unused Address and Service Objects with Devices" in Panorama Settings.

  ---

  Explanation

  According to the Palo Alto Networks documentation, disabling "Share Unused Address and Service Objects with Devices" in Panorama Settings is a possible solution to reduce commit times for firewalls managed by Panorama. This option prevents Panorama from pushing address and service objects that are not used in any policy rules to the firewalls, which can reduce the size of the configuration and improve the commit performance. Therefore, the correct answer is A. The other options are not relevant or effective for reducing commit times: Update the apps and threat version using device-deployment: This option would not help because it is not related to the commit process. Updating the apps and threat version using device-deployment is a feature that allows Panorama to distribute content updates to firewalls without requiring a commit. Perform a device group push using the "merge with device candidate config" option: This option would not help because it is not related to the commit performance. Performing a device group push using the "merge with device candidate config" option is a feature that allows Panorama to merge the local changes on a firewall with the Panorama configuration without overwriting them. Use "export or push device config bundle" to ensure that the firewall is integrated with the Panorama config: This option would not help because it is not related to the commit performance. Using "export or push device config bundle" is a feature that allows Panorama to export or push a complete configuration bundle to a firewall, which can be useful for troubleshooting or migrating configurations.

  References:

  1: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000CleLCAS

  2: https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/firewall-administration/manage-firewalls/manage-content-updates-on-managed-firewalls/update-the-apps-and-threats-version-using-device-deployment

  3: https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/firewall-administration/manage-firewalls/manage-firewall-configurations/perform-a-device-group-push-using-the-merge-with-device-candidate-config-option

  4: https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/firewall-administration/manage-firewalls/manage-firewall-configurations/use-export-or-push-device-config-bundle-to-ensure-that-the-firewall-is-integrated-with-the-panoramaconfig

• Question 527:

  YouTube videos are consuming too much bandwidth on the network, causing delays in mission-critical traffic. The administrator wants to throttle YouTube traffic. The following interfaces and zones are in use on the firewall:

  *

  ethernet1/1, Zone: Untrust (Internet-facing)

  *

  ethernet1/2, Zone: Trust (client-facing)

  A QoS profile has been created, and QoS has been enabled on both interfaces. A QoS rule exists to put the YouTube application into QoS class 6. Interface Ethernet1/1 has a QoS profile called Outbound, and interface Ethernet1/2 has a QoS profile called Inbound.

  Which setting for class 6 with throttle YouTube traffic?

  A. Outbound profile with Guaranteed Ingress
  B. Outbound profile with Maximum Ingress
  C. Inbound profile with Guaranteed Egress
  D. Inbound profile with Maximum Egress
  D. Inbound profile with Maximum Egress

  ---

  Explanation

• Question 528:

  A firewall engineer needs to patch the company's Palo Alto Networks firewalls to the latest version of PAN-OS. The company manages its firewalls by using Panorama. Logs are forwarded to Dedicated Log Collectors, and file samples are forwarded to WildFire appliances for analysis.

  What must the engineer consider when planning deployment?

  A. Only Panorama and Dedicated Log Collectors must be patched to the target PAN-OS version before updating the firewalls.
  B. Panorama, Dedicated Log Collectors, and WildFire appliances must have the target PAN-OS version downloaded, after which the order of patching does not matter.
  C. Panorama, Dedicated Log Collectors, and WildFire appliances must be patched to the target PAN-OS version before updating the firewalls.
  D. Only Panorama must be patched to the target PAN-OS version before updating the firewalls.
  C. Panorama, Dedicated Log Collectors, and WildFire appliances must be patched to the target PAN-OS version before updating the firewalls.

  ---

  Explanation

• Question 529:

  Firewall administrators cannot authenticate to a firewall GUI.

  Which two logs on that firewall will contain authentication-related information useful in troubleshooting this issue? (Choose two.)

  A. ms log
  B. authd log
  C. System log
  D. Traffic log
  E. dp-monitor .log
  B. authd log
  C. System log

  ---

  Explanation

• Question 530:

  What are three possible verdicts that WildFire can provide for an analyzed sample? (Choose three)

  A. Clean
  B. Bengin
  C. Adware
  D. Suspicious
  E. Grayware
  F. Malware
  B. Bengin
  E. Grayware
  F. Malware

  ---

  Explanation

  https://www.paloaltonetworks.com/documentation/70/pan-os/newfeaturesguide/wildfire-features/wildfire-grayware-verdict