Palo Alto Networks PCNSE Online Practice Questions and Exam Preparation

Palo Alto Networks PCNSE Online Questions & Answers

• Question 541:

  An administrator pushes a new configuration from Panorama to a pair of firewalls that are configured as an active/passive HA pair. Which NGFW receives the configuration from Panorama?

  A. The Passive firewall, which then synchronizes to the active firewall
  B. The active firewall, which then synchronizes to the passive firewall
  C. Both the active and passive firewalls, which then synchronize with each other
  D. Both the active and passive firewalls independently, with no synchronization afterward
  D. Both the active and passive firewalls independently, with no synchronization afterward

  ---

  Explanation

  Palo Alto NetworksPanorama 7.0 Administrator's Guide ?7Manage FirewallsManage Device GroupsManage Device GroupsAdd a Device GroupCreate a Device Group HierarchyCreate Objects for Use in Shared or Device Group PolicyRevert to Inherited Object ValuesManage Unused Shared ObjectsManage Precedence of Inherited ObjectsMove or Clone a Policy Rule or Object to a Different Device GroupSelect a URL Filtering Vendor on PanoramaPush a Policy Rule to a Subset of FirewallsManage the Rule HierarchyAdd a Device GroupAfter adding firewalls (see Add a Firewall as a Managed Device), you can group them into Device Groups (up to 256), as follows. Be sure to assign both firewalls in an active-passive high availability (HA) configuration to the same device group so that Panorama will push the same policy rules and objects to those firewalls. #############PAN-OS doesn't synchronize pushed rules across HA peers.######### To manage rules and objects at different administrative levels in your organization, Create a Device Group Hierarchy.

  https://docs.paloaltonetworks.com/panorama/8-0/panorama-admin/manage-firewalls/transition-a-firewall-to-panorama-management/migrate-a-firewall-ha-pair-to-panorama-management https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000CleOCAS

• Question 542:

  An administrator configures a site-to-site IPsec VPN tunnel between a PA-850 and an external customer on their policy-based VPN devices.

  What should an administrator configure to route interesting traffic through the VPN tunnel?

  A. Proxy IDs
  B. ToS Header
  C. GRE Encapsulation
  D. Tunnel Monitor
  A. Proxy IDs

  ---

  Explanation

  https://docs.paloaltonetworks.com/network-security/ipsec-vpn/administration/get-started-with-ipsec-vpn-site-to-site/site-to-site-vpn-overview/proxy-id-for-ipsec-vpn

• Question 543:

  When deploying PAN-OS SD-WAN, which routing protocol can you use to build a routing overlay?

  A. OSPFv3
  B. BGP
  C. OSPF
  D. RIP
  C. OSPF

  ---

  Explanation

• Question 544:

  An administrator plans to install the Windows-Based User-ID Agent.

  What type of Active Directory (AD) service account should the administrator use?

  A. Dedicated Service Account
  B. System Account
  C. Domain Administrator
  D. Enterprise Administrator
  A. Dedicated Service Account

  ---

  Explanation

• Question 545:

  A firewall engineer has determined that, in an application developed by the company's internal team, sessions often remain idle for hours before the client and server exchange any data. The application is also currently identified as unknowntcp by the firewalls. It is determined that because of a high level of trust, the application does not require to be scanned for threats, but it needs to be properly identified in Traffic logs for reporting purposes.

  Which solution will take the least time to implement and will ensure the App-ID engine is used to identify the application?

  A. Create a custom application with specific timeouts and signatures based on patterns discovered in packet captures.
  B. Access the Palo Alto Networks website and complete the online form to request that a new application be added to App-ID.
  C. Create a custom application with specific timeouts, then create an application override rule and reference the custom application.
  D. Access the Palo Alto Networks website and raise a support request through the Customer Support Portal.
  C. Create a custom application with specific timeouts, then create an application override rule and reference the custom application.

  ---

  Explanation

  For an application that is currently identified as unknown-tcp and has sessions that often remain idle for long periods, creating a custom application and using an application override rule is the most time-efficient solution.

  The process involves:

  Creating a custom application in the Palo Alto Networks firewall and configuring it with specific timeouts to accommodate the application's idle session behavior. This step ensures that the firewall does not prematurely close the application's

  sessions due to inactivity.

  Next, creating an application override rule that references the custom application. This rule directs the firewall to identify traffic matching the rule criteria (such as source, destination, and port information) as the custom application, bypassing the App-ID engine's regular identification process.

  This approach allows for the quick implementation of a solution that ensures the application is properly identified in traffic logs without undergoing threat scanning, meeting the requirements for both identification and reporting.

• Question 546:

  An engineer troubleshooting a site-to-site VPN finds a Security policy dropping the peer's IKE traffic at the edge firewall. Both VPN peers are behind a NAT, and NAT-T is enabled.

  How can the engineer remediate this issue?

  A. Add a Security policy to allow UDP/500.
  B. Add a Security policy to allow the IKE application.
  C. Add a Security policy to allow the IPSec application.
  D. Add a Security policy to allow UDP/4501.
  C. Add a Security policy to allow the IPSec application.

  ---

  Explanation

  https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClFRCA0 The ipsec application contains the following sub-apps:

  ike ipsec-ah ipsec-esp ipsec-esp-udp(NAT-T) The sub-apps above are allowed implicitly when the ipsec application is configured as allowed.

• Question 547:

  An administrator plans to deploy 15 firewalls to act as GlobalProtect gateways around the world Panorama will manage the firewalls.

  The firewalls will provide access to mobile users and act as edge locations to on-premises infrastructure.

  The administrator wants to scale the configuration out quickly and wants all of the firewalls to use the same template configuration.

  Which two solutions can the administrator use to scale this configuration? (Choose two.)

  A. variables
  B. template stacks
  C. collector groups
  D. virtual systems
  A. variables
  B. template stacks

  ---

  Explanation

  When deploying a large number of firewalls, such as 15 GlobalProtect gateways around the world, it's crucial to have a scalable configuration approach. Panorama offers several features to help scale configurations efficiently:

  Template stacks:

  Template stacks in Panorama allow administrators to create a collection of configuration templates that can be applied to multiple firewalls or device groups. This enables the consistent deployment of shared settings (such as network configurations, security profiles, etc.) across all managed firewalls, ensuring uniformity and reducing the effort required to manage individual firewall configurations.

  Variables:

  Variables in Panorama provide a way to customize template configurations for individual firewalls or device groups without altering the overall template. For example, a variable can be used to define a unique IP address, hostname, or other specific settings within a shared template. When the template is applied, Panorama replaces the variables with the actual values specified for each device or device group, allowing for customization within a standardized framework.

  By using template stacks and variables, an administrator can rapidly deploy and manage configurations across multiple GlobalProtect gateways, ensuring consistency while still accommodating site-specific requirements. This approach streamlines the deployment process and enhances the manageability of a widespread GlobalProtect infrastructure.

  https://docs.paloaltonetworks.com/panorama/10-0/panorama-admin/panorama-overview/centralized-firewall-configuration-and-update-management/templates-and-template-stacks https://docs.paloaltonetworks.com/panorama/10-1/panoramaadmin/manage-firewalls/manage-templates-and-template-stacks/configure-template-or-template-stack-variables.html

• Question 548:

  An administrator is configuring an IPSec VPN to a Cisco ASA at the administrator's home and experiencing issues completing the connection. the following is the output from the command:

  

  What could be the cause of this problem?

  A. The dead peer detection settings do not match between the Palo Alto Networks Firewall and the ASA.
  B. The Proxy IDs on the Palo Alto Networks Firewall do not match the setting on the ASA.
  C. The public IP addresses do not match for both the Palo Alto Networks Firewall and the ASA.
  D. The shared secrets do not match between the Palo Alto Networks Firewall and the ASA.
  C. The public IP addresses do not match for both the Palo Alto Networks Firewall and the ASA.

  ---

  Explanation

• Question 549:

  Which method does an administrator use to integrate all non-native MFA platforms in PAN-OS?software?

  A. Okta
  B. DUO
  C. RADIUS
  D. PingID
  C. RADIUS

  ---

  Explanation

  https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-admin/authentication/authentication-types/multi-factor-authentication

  For end-user authentication via Authentication Policy, the firewall directly integrates with several MFA platforms (Duo v2, Okta Adaptive, PingID, and RSA SecurID), as well as integrating through RADIUS or SAML for all other MFA platforms.

• Question 550:

  DRAG DROP

  Match each GlobalProtect component to the purpose of that component

  Select and Place:

  

  

  Explanation

  The GlobalProtect portal provides the management functions for your GlobalProtect infrastructure The GlobalProtect gateways provide security enforcement for traffic from GlobalProtect apps The GlobalProtect app software runs on endpoints and enables access to your network resources