Palo Alto Networks Palo Alto Networks Certifications PCNSE Questions & Answers

• Question 531:

  Exhibit:

  

  What will be the egress interface if the traffic's ingress interface is ethernet1/6 sourcing from 192.168.111.3 and to the destination 10.46.41.113 during the time shown in the image?

  A. ethernet1/7

  B. ethernet1/5

  C. ethernet1/6

  D. ethernet1/3

  Correct Answer: D

• Question 532:

  A Security policy rule is configured with a Vulnerability Protection Profile and an action of `Deny". Which action will this cause configuration on the matched traffic?

  A. The configuration is invalid. The Profile Settings section will be grayed out when the Action is set to "Deny".

  B. The configuration will allow the matched session unless a vulnerability signature is detected. The "Deny" action will supersede theper-severity defined actions defined in the associated Vulnerability Protection Profile.

  C. The configuration is invalid. It will cause the firewall to skip this Security policy rule. A warning will be displayed during a commit.

  D. The configuration is valid. It will cause the firewall to deny the matched sessions. Any configured Security Profiles have no effect if the Security policy rule action is set to "Deny."

  Correct Answer: D

  "Security profiles are not used in the match criteria of a traffic flow. The security profile is applied to scan traffic after the application or category is allowed by the security policy." https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-admin/ policy/security-profiles.html#

• Question 533:

  Which event will happen if an administrator uses an Application Override Policy?

  A. Threat-ID processing time is decreased.

  B. The Palo Alto Networks NGFW stops App-ID processing at Layer 4.

  C. The application name assigned to the traffic by the security rule is written to the Traffic log.

  D. App-ID processing time is increased.

  Correct Answer: B

  Reference: https://live.paloaltonetworks.com/t5/Learning-Articles/Tips-amp-Tricks-How-to- Create-an-Application-Override/ta-p/65513

  https://docs.paloaltonetworks.com/pan-os/7-1/pan-os-admin/app-id/manage-custom-or- unknown- applications#

  "If you define an application override, the firewall stops processing at Layer-4. The custom application name is assigned to the session to help identify it in the logs, and the traffic is not scanned for threats."

• Question 534:

  An administrator has a requirement to export decrypted traffic from the Palo Alto Networks NGFW to a third-party, deep-level packet inspection appliance. Which interface type and license feature are necessary to meet the requirement?

  A. Decryption Mirror interface with the Threat Analysis license

  B. Virtual Wire interface with the Decryption Port Export license

  C. Tap interface with the Decryption Port Mirror license

  D. Decryption Mirror interface with the associated Decryption Port Mirror license

  Correct Answer: D

  Reference: https://www.paloaltonetworks.com/documentation/71/pan-os/pan- os/decryption/decryption-mirroring

  "Before you can enable Decryption Mirroring, you must obtain and install a Decryption Port Mirror license. The license is free of charge and can be activated through the support portal as described in the following procedure. After you install the Decryption Port Mirror license and reboot the firewall, you can enable decryption port mirroring. "

• Question 535:

  If an administrator does not possess a website's certificate, which SSL decryption mode will allow the Palo Alto networks NGFW to inspect when users browse to HTTP(S) websites?

  A. SSL Forward Proxy

  B. SSL Inbound Inspection

  C. TLS Bidirectional proxy

  D. SSL Outbound Inspection

  Correct Answer: A

  https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClV8CAK https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/decryption/configure-ssl- inbound-inspection.html

• Question 536:

  Which two features does PAN-OS software use to identify applications? (Choose two)

  A. port number

  B. session number

  C. transaction characteristics

  D. application layer payload

  Correct Answer: CD

  The Palo Alto Networks firewall does not classify traffic by port and protocol; instead it identifies the application based on its unique properties and transaction characteristics using the App-ID technology. Some applications, however, require the firewall to dynamically open pinholes to establish the connection, determine the parameters for the session and negotiate the ports that will be used for the transfer of data; these applications use the application-layer payload to communicate the dynamic TCP or UDP ports on which the application opens data connections. For such applications, the firewall serves as an Application Level Gateway (ALG), and it opens a pinhole for a limited time and for exclusively transferring data or control traffic. The firewall also performs a NAT rewrite of the payload when necessary.

• Question 537:

  Which three split tunnel methods are supported by a globalProtect gateway? (Choose three.)

  A. video streaming application

  B. Client Application Process

  C. Destination Domain

  D. Source Domain

  E. Destination user/group

  F. URL Category

  Correct Answer: ABC

  You can configure split tunnel traffic based on an access route, destination domain, application, and HTTP/HTTPS video streaming application. https://docs.paloaltonetworks.com/globalprotect/9-1/globalprotect-admin/globalprotect- gateways/ split-tunnel-traffic-on-globalprotect-gateways.html

• Question 538:

  Refer to exhibit.

  

  An organization has Palo Alto Networks NGFWs that send logs to remote monitoring and security management platforms. The network team has reported excessive traffic on the corporate WAN. How could the Palo Alto Networks NGFW administrator reduce WAN traffic while maintaining support for all existing monitoring/ security platforms?

  A. Forward logs from firewalls only to Panorama and have Panorama forward logs to other external services.

  B. Forward logs from external sources to Panorama for correlation, and from Panorama send them to the NGFW.

  C. Configure log compression and optimization features on all remote firewalls.

  D. Any configuration on an M-500 would address the insufficient bandwidth concerns.

  Correct Answer: A

  https://docs.paloaltonetworks.com/panorama/8-1/panorama- admin/panorama-overview/centralized-logging-and-reporting https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClKFCA0 "When this has to be done over a WAN link with bandwidth limitation, it is necessary to consider reducing the number of log streams that are sent over the link" "With this configuration, firewalls will forward logs to Panorama, assuming that log

  forwarding was configured correctly on the firewall. The logs are forwarded to the syslog server, thus reducing the number of log streams significantly."

• Question 539:

  An administrator has created an SSL Decryption policy rule that decrypts SSL sessions on any port. Which log entry can the administrator use to verify that sessions are being decrypted?

  A. In the details of the Traffic log entries

  B. Decryption log

  C. Data Filtering log

  D. In the details of the Threat log entries

  Correct Answer: A

  Reference: https://live.paloaltonetworks.com/t5/Configuration-Articles/How-to-Implement- and-Test-SSL-Decryption/ta-p/59719 https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClboCAC The Question is simply asking how to verify if traffic was being decrypted. There are (2) ways to see this in the traffic logs:

  1.

  To confirm that the traffic is decrypted inside the WebGUI > Monitor > Logs > Traffic. Click the magnifying glass icon in the traffic log entries to confirm that the connections were decrypted.

  2.

  Another way to validate the decrypted session is by enabling the column "Decrypted" as below Traffic logs . This can be done by clicking on the arrow down next to any column title and selecting the Columns > Decrypted. This shows decrypted status in regular traffic log view.

• Question 540:

  An administrator sees several inbound sessions identified as unknown-tcp in the Traffic logs. The administrator determines that these sessions are form external users accessing the company's proprietary accounting application. The administrator wants to reliably identify this traffic as their accounting application and to scan this traffic for threats.

  Which option would achieve this result?

  A. Create a custom App-ID and enable scanning on the advanced tab.

  B. Create an Application Override policy.

  C. Create a custom App-ID and use the "ordered conditions" check box.

  D. Create an Application Override policy and custom threat signature for the application.

  Correct Answer: A

  https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClRoCAK