Palo Alto Networks PCNSE Online Practice Questions and Exam Preparation

Palo Alto Networks PCNSE Online Questions & Answers

• Question 551:

  A network security engineer is asked to perform a Return Merchandise Authorization (RMA) on a firewall.

  Which part of files needs to be imported back into the replacement firewall that is using Panorama?

  A. Device state and license files
  B. Configuration and serial number files
  C. Configuration and statistics files
  D. Configuration and Large Scale VPN (LSVPN) setups file
  A. Device state and license files

  ---

  Explanation

• Question 552:

  Four configuration choices are listed, and each could be used to block access to a specific URL.

  If you configured each choice to block the same URL, then which choice would be evaluated last in the processing order to block access to the URL?

  A. PAN-DB URL category in URL Filtering profile
  B. Custom URL category in Security policy rule
  C. Custom URL category in URL Filtering profile
  D. EDL in URL Filtering profile
  A. PAN-DB URL category in URL Filtering profile

  ---

  Explanation

• Question 553:

  Which statement accurately describes service routes and virtual systems?

  A. Virtual systems can only use one interface for all global service and service routes of the firewall
  B. The interface must be used for traffic to the required external services
  C. Virtual systems that do not have specific service routes configured inherit the global service and service route settings for the firewall
  D. Virtual systems cannot have dedicated service routes configured: and virtual systems always use the global service and service route settings for the firewall
  C. Virtual systems that do not have specific service routes configured inherit the global service and service route settings for the firewall

  ---

  Explanation

  https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/virtual-systems/customize-service-routes-for-a-virtual-system "When a firewall is enabled for multiple virtual systems, the virtual systems inherit the global service and service route settings. For example, the firewall can use a shared email server to originate email alerts to all virtual systems. In some scenarios, you'd want to create different service routes for each virtual system."

• Question 554:

  What are three prerequisites to enable Credential Phishing Prevention over SSL? (Choose three

  A. Configure a URL profile to block the phishing category.
  B. Create a URL filtering profile
  C. Enable User-ID.
  D. Create an anti-virus profile.
  E. Create a decryption policy rule.
  B. Create a URL filtering profile
  C. Enable User-ID.
  E. Create a decryption policy rule.

  ---

  Explanation

• Question 555:

  An engineer needs to configure a standardized template for all Panorama-managed firewalls. These settings will be configured on a template named "Global" and will be included in all template stacks.

  Which three settings can be configured in this template? (Choose three.)

  A. Log Forwarding profile
  B. SSL decryption exclusion
  C. Email scheduler
  D. Login banner
  E. Dynamic updates
  B. SSL decryption exclusion
  D. Login banner
  E. Dynamic updates

  ---

  Explanation

  A template is a set of configuration options that can be applied to one or more firewalls or virtual systems managed by Panorama. A template can include settings from the Device and Network tabs on the firewall web interface, such as login

  banner, SSL decryption exclusion, and dynamic updates. These settings can be configured in a template named "Global" and included in all template stacks. A template stack is a group of templates that Panorama pushes to managed

  firewalls in an ordered hierarchy.

  References: Manage Templates and Template Stacks, PCNSE Study Guide (page 50)

• Question 556:

  Which CLI command displays the physical media that are connected to ethernetl/8?

  A. > show system state filter-pretty sys.si.p8.stats
  B. > show interface ethernetl/8
  C. > show system state filter-pretty sys.sl.p8.phy
  D. > show system state filter-pretty sys.si.p8.med
  C. > show system state filter-pretty sys.sl.p8.phy

  ---

  Explanation

  Example output:

  > show system state filter-pretty sys.s1.p1.phy

  sys.s1.p1.phy: {

  link-partner: { },

  media: CAT5,

  type: Ethernet,

  }

  https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Cld3CAC

• Question 557:

  Which server platforms can be monitored when a company is deploying User-ID through server monitoring in an environment with diverse directory services?

  A. Novell eDirectory, Microsoft Terminal Server, and Microsoft Active Directory
  B. Red Hat Linux, Microsoft Exchange, and Microsoft Terminal Server
  C. Novell eDirectory, Microsoft Exchange, and Microsoft Active Directory
  D. Red Hat Linux, Microsoft Active Directory, and Microsoft Exchange
  C. Novell eDirectory, Microsoft Exchange, and Microsoft Active Directory

  ---

  Explanation

• Question 558:

  Panorama is being used to upgrade the PAN-OS version on a pair of firewalls in an active/passive high availability (HA) configuration. The Palo Alto Networks best practice upgrade steps have been completed in Panorama (Panorama upgraded, backups made, content updates, and disabling "Preemptive" pushed), and the firewalls are ready for upgrade. What is the next best step to minimize downtime and ensure a smooth transition?

  A. Upgrade both HA peers at the same time using Panorama's "Group HA Peers" option to ensure version consistency
  B. Suspend the active firewall, upgrade it first, and reboot to verify it comes back online before upgrading the passive peer
  C. Perform the upgrade on the active firewall first while keeping the passive peer online to maintain failover capability
  D. Upgrade only the passive peer first, reboot it, restore HA functionality, and then upgrade the active peer
  D. Upgrade only the passive peer first, reboot it, restore HA functionality, and then upgrade the active peer

  ---

  Explanation

  For active/passive HA upgrades, best practices minimize downtime by upgrading the passive peer first (Option D), rebooting it to confirm stability, restoring HA sync, and then upgrading the active peer. This keeps services running on the active firewall during the passive upgrade, ensuring a smooth transition with failover capability intact.

  PAN-OS 11.2 Upgrade Guide, "Upgrade HA Firewalls Using Panorama" section.

• Question 559:

  A customer wants to combine multiple Ethernet interfaces into a single virtual interface using link aggregation. Which two formats are correct for naming aggregate interfaces? (Choose two.)

  A. ae.8
  B. aggregate.1
  C. ae.1
  D. aggregate.8
  A. ae.8
  C. ae.1

  ---

  Explanation

  https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-web-interface-help/network/network-interfaces/aggregate-ethernet-ae-interface-group.html

• Question 560:

  A threat intelligence team has requested more than a dozen Short signatures to be deployed on all perimeter Palo Alto Networks firewalls. How does the firewall engineer fulfill this request with the least time to implement?

  A. Use Expedition to create custom vulnerability signatures, deploy them to Panorama using API and push them to the firewalls.
  B. Create custom vulnerability signatures manually on one firewall export them, and then import them to the rest of the firewalls
  C. Use Panorama IPs Signature Converter to create custom vulnerability signatures, and push them to the firewalls.
  D. Create custom vulnerability signatures manually in Panorama, and push them to the firewalls
  C. Use Panorama IPs Signature Converter to create custom vulnerability signatures, and push them to the firewalls.

  ---

  Explanation