Palo Alto Networks PCNSE Online Practice Questions and Exam Preparation

Palo Alto Networks PCNSE Online Questions & Answers

• Question 571:

  An administrator needs to implement an NGFW between their DMZ and Core network. EIGRP Routing between the two environments is required. Which interface type would support this business requirement?

  A. Virtual Wire interfaces to permit EIGRP routing to remain between the Core and DMZ
  B. Layer 3 or Aggregate Ethernet interfaces, but configuring EIGRP on subinterfaces only
  C. Tunnel interfaces to terminate EIGRP routing on an IPsec tunnel (with the GlobalProtect License to support LSVPN and EIGRPprotocols)
  D. Layer 3 interfaces, but configuring EIGRP on the attached virtual router
  A. Virtual Wire interfaces to permit EIGRP routing to remain between the Core and DMZ

  ---

  Explanation

  EIGRP is a Cisco proprietary protocol. The dynamic routing protocols supported on the PAN are RIPv2, OSPF and BGP.

• Question 572:

  A network administrator plans a Prisma Access deployment with three service connections, each with a BGP peering to a CPE. The administrator needs to minimize the BGP configuration and management overhead on on-prem network devices.

  What should the administrator implement?

  A. target service connection for traffic steering
  B. summarized BGP routes before advertising
  C. hot potato routing
  D. default routing
  D. default routing

  ---

  Explanation

  Default routing-This is the default routing model that Prisma Access uses.

  Use this routing mode if you want Prisma Access to use BGP best path-selection mechanisms without adjusting any of the BGP attributes. In this mode, Prisma Access will honor any attribute advertised by the customer premises equipment

  (CPE).

  https://docs.paloaltonetworks.com/prisma/prisma-access/prisma-access-panorama-admin/prisma-access-advanced-deployments/service-connection-advanced-deployments/route-preferences-for-service-connection-traffic

• Question 573:

  A firewall engineer is configuring quality of service (QoS) policy for the IP address of a specific server in an effort to limit the bandwidth consumed by frequent downloads of large files from the internet. Which combination of pre-NAT and/or post-NAT information should be used in the QoS rule?

  A. Pre-NAT source IP address Pre-NAT source zone
  B. Post-NAT source IP address Pre-NAT source zone
  C. Pre-NAT source IP address Post-NAT source zone
  D. Post-NAT source IP address Post-NAT source zone
  A. Pre-NAT source IP address Pre-NAT source zone

  ---

  Explanation

• Question 574:

  As a best practice, which URL category should you target first for SSL decryption*?

  A. Online Storage and Backup
  B. High Risk
  C. Health and Medicine
  D. Financial Services
  B. High Risk

  ---

  Explanation

  https://docs.paloaltonetworks.com/best-practices/10-0/decryption-best-practices/decryption-best-practices/plan-ssl-decryption-best-practice-deployment.html Phase in decryption. Plan to decrypt the riskiest traffic first (URL Categories most likely to harbor malicious traffic, such as gaming or high-risk)

• Question 575:

  A network administrator notices there is a false-positive situation after enabling Security profiles. When the administrator checks the threat prevention logs, the related signature displays: threat type: spyware category: dns-c2 threat ID:

  1000011111

  Which set of steps should the administrator take to configure an exception for this signature?

  A. Navigate to Objects > Security Profiles > Anti-Spyware Select related profile Select the signature exceptions tab and then click show all signatures Search related threat ID and click enable Change the default action Commit
  B. Navigate to Objects > Security Profiles > Anti-Spyware Select related profile Select the Exceptions tab and then click show all signatures Search related threat ID and click enable Commit
  C. Navigate to Objects > Security Profiles > Vulnerability Protection Select related profile Select the Exceptions tab and then click show all signatures Search related threat ID and click enable Commit
  D. Navigate to Objects > Security Profiles > Anti-Spyware Select related profile Select DNS exceptions tabs Search related threat ID and click enable Commit
  D. Navigate to Objects > Security Profiles > Anti-Spyware Select related profile Select DNS exceptions tabs Search related threat ID and click enable Commit

  ---

  Explanation

  A. Navigate to Objects > Security Profiles > Anti-Spyware Select related profile Select the signature exceptions tab and then click show all signatures Search related threat ID and click enable Change the default action Commit there is no option to change default action only enable

  B. Navigate to Objects > Security Profiles > Anti-Spyware Select related profile Select the Exceptions tab and then click show all signatures Search related threat ID and click enable Commit there is no any tab for Exception only signature Exception or DNS exception

  C. Navigate to Objects > Security Profiles > Vulnerability Protection Select related profile Select the Exceptions tab and then click show all signatures Search related threat ID and click enable Commit for sure not vulnerability

  D. Navigate to Objects > Security Profiles > Anti-Spyware Select related profile Select DNS exceptions tabs Search related threat ID and click enable Commit

• Question 576:

  An engineer is deploying VoIP and needs to ensure that voice traffic is treated with the highest priority on the network. Which QoS priority should be assigned to such an application?

  A. Medium
  B. Low
  C. High
  D. Real-time
  D. Real-time

  ---

  Explanation

  Real-time priority is typically recommended for applications affected by latency, and is particularly useful in guaranteeing performance and quality of voice and video applications.

• Question 577:

  An engineer is tasked with configuring a Zone Protection profile on the untrust zone.

  Which three settings can be configured on a Zone Protection profile? (Choose three.)

  A. Ethernet SGT Protection
  B. Protocol Protection
  C. DoS Protection
  D. Reconnaissance Protection
  E. Resource Protection
  B. Protocol Protection
  C. DoS Protection
  D. Reconnaissance Protection

  ---

  Explanation

  B. Protocol Protection: is used to protect against known protocol vulnerabilities, such as buffer overflows and malformed packets.

  C. DoS Protection: is used to protect against denial-of-service (DoS) attacks, such as SYN floods and ICMP floods.

  D. Reconnaissance Protection: is used to protect against reconnaissance attacks, such as port scans and ping sweeps.

• Question 578:

  An engineer is monitoring an active/passive high availability (HA) firewall pair.

  Which HA firewall state describes the firewall that is currently processing traffic?

  A. Active-primary
  B. Active
  C. Active-secondary
  D. Initial
  B. Active

  ---

  Explanation

• Question 579:

  What are two common reasons to use a "No Decrypt" action to exclude traffic from SSL decryption? (Choose two.)

  A. the website matches a category that is not allowed for most users
  B. the website matches a high-risk category
  C. the web server requires mutual authentication
  D. the website matches a sensitive category
  C. the web server requires mutual authentication
  D. the website matches a sensitive category

  ---

  Explanation

  https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/decryption/decryption-exclusions/palo-alto-networks-predefined-decryption-exclusions.html The firewall provides a predefined SSL Decryption Exclusion list to exclude from decryption commonly used sites that break decryption because of technical reasons such as pinned certificates and mutual authentication.

• Question 580:

  A company configures its WildFire analysis profile to forward any file type to the WildFire public cloud. A company employee receives an email containing an unknown link that downloads a malicious Portable Executable (PE) file.

  What does Advanced WildFire do when the link is clicked?

  A. Performs malicious content analysis on the linked page, but not the corresponding PE file.
  B. Performs malicious content analysis on the linked page and the corresponding PE file.
  C. Does not perform malicious content analysis on either the linked page or the corresponding PE file.
  D. Does not perform malicious content analysis on the linked page, but performs it on the corresponding PE file.
  D. Does not perform malicious content analysis on the linked page, but performs it on the corresponding PE file.

  ---

  Explanation

  Palo Alto Networks' WildFire service is designed to perform advanced analysis on files to identify and protect against new and evolving threats. When a WildFire analysis profile is configured to forward any file type to the WildFire public cloud,

  the service analyzes files that pass through the firewall based on the policy configuration.

  Does not perform malicious content analysis on the linked page, but performs it on the corresponding PE file:

  When a user clicks on an unknown link that downloads a Portable Executable (PE) file, WildFire's primary focus is on the file itself rather than the webpage from which it originated. The service analyzes the PE file to determine if it contains

  malicious content. This analysis includes static and dynamic inspection techniques to uncover any malicious behavior.

  The webpage hosting the link may not be analyzed as part of this process unless specific protections or URL filtering policies are in place that trigger such an analysis. The primary concern in this scenario is the PE file, which is directly

  analyzed by WildFire for malicious content.

  By focusing on the files that could pose a direct threat to the network, WildFire provides a robust mechanism for identifying and mitigating potential security risks associated with file downloads.