Palo Alto Networks Palo Alto Networks Certifications PCNSE Questions & Answers

• Question 571:

  The firewall is not downloading IP addresses from MineMeld. Based, on the image, what most likely is wrong?

  

  A. A Certificate Profile that contains the client certificate needs to be selected.

  B. The source address supports only files hosted with an ftp://

  .

  C. External Dynamic Lists do not support SSL connections.

  D. A Certificate Profile that contains the CA certificate needs to be selected.

  Correct Answer: D

  "If the list source is secured with SSL (i.e. lists with an HTTPS URL), enable server authentication. Select a Certificate Profile or create a New Certificate Profile for authenticating the server that hosts the list. The certificate profile you select must have root certificate authority (CA) and intermediate CA certificates that match the certificates installed on the server you are authenticating."

• Question 572:

  An administrator needs to implement an NGFW between their DMZ and Core network. EIGRP Routing between the two environments is required. Which interface type would support this business requirement?

  A. Virtual Wire interfaces to permit EIGRP routing to remain between the Core and DMZ

  B. Layer 3 or Aggregate Ethernet interfaces, but configuring EIGRP on subinterfaces only

  C. Tunnel interfaces to terminate EIGRP routing on an IPsec tunnel (with the GlobalProtect License to support LSVPN and EIGRPprotocols)

  D. Layer 3 interfaces, but configuring EIGRP on the attached virtual router

  Correct Answer: A

  EIGRP is a Cisco proprietary protocol. The dynamic routing protocols supported on the PAN are RIPv2, OSPF and BGP.

• Question 573:

  Which three authentication factors does PAN-OS?software support for MFA (Choose three.)

  A. Push

  B. Pull

  C. Okta Adaptive

  D. Voice

  E. SMS

  Correct Answer: ADE

  Reference: https://www.paloaltonetworks.com/documentation/80/pan-os/pan- os/authentication/configure-multi-factor-authentication

• Question 574:

  To more easily reuse templates and template slacks , you can create term plate variables in place of firewall-specific and appliance-specific IP literals in your configurations.

  Which one is the correct configuration?

  A. @Panorama

  B. #Pancrama

  C. andPanorama

  D. $Panorama

  Correct Answer: D

  Create a template and template stack using a variable name for an object. Variable names must start with the dollar sign ( "$" ) symbol. For example, you could use $Panorama as a variable for the Panorama IP address that you want to configure on multiple managed firewalls and appliances https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-new-features/panorama- features/configuration-reusability-for-templates-and-template-stacks.html

• Question 575:

  An administrator accidentally closed the commit window/screen before the commit was finished. Which two options could the administrator use to verify the progress or success of that commit task? (Choose two.)

  

  A. Exhibit A

  B. Exhibit B

  C. Exhibit C

  D. Exhibit D

  Correct Answer: AD

  https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-web-interface- help/web-interface-basics/commit-changes.html

• Question 576:

  The firewall identifies a popular application as an unknown-tcp.

  Which two options are available to identify the application? (Choose two.)

  A. Create a custom application.

  B. Create a custom object for the custom application server to identify the custom application.

  C. Submit an App-ID request to Palo Alto Networks.

  D. Create a Security policy to identify the custom application.

  Correct Answer: AC

  https://docs.paloaltonetworks.com/pan-os/7-1/pan-os-admin/app-id/use- application-objects-in-policy/create-a-custom-application https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-admin/app-id/manage-custom-or- unknownapplications.html

• Question 577:

  View the GlobalProtect configuration screen capture.

  

  What is the purpose of this configuration?

  A. It configures the tunnel address of all internal clients to an IP address range starting at 192.168.10.1.

  B. It forces an internal client to connect to an internal gateway at IP address 192.168.10.1.

  C. It enables a client to perform a reverse DNS lookup on 192.168.10.1 to detect that it is an internal client.

  D. It forces the firewall to perform a dynamic DNS update, which adds the internal gateway's hostname and IP address to the DNS server.

  Correct Answer: C

  Reference:

  https://www.paloaltonetworks.com/documentation/80/globalprotect/globalprotect-admin- guide/globalprotect-portals/define- the-globalprotect-client-authentication- configurations/define-the-globalprotect-agent-configurations

  "Select this option to allow the GlobalProtect agent to determine if it is inside the enterprise network. This option applies only to endpoints that are configured to communicate with internal gateways.When the user attempts to log in, the agent

  does a reverse DNS lookup of an internal host using the specified Hostname to the specified IP Address. The host serves as a reference point that is reachable if the endpoint is inside the enterprise network. If the agent finds the host, the

  endpoint is inside the network and the agent connects to an internal gateway; if the agent fails to find the internal host, the endpoint is outside the network and the agent establishes a tunnel to one of the external gateways"

• Question 578:

  How can a candidate or running configuration be copied to a host external from Panorama?

  A. Commit a running configuration.

  B. Save a configuration snapshot.

  C. Save a candidate configuration.

  D. Export a named configuration snapshot.

  Correct Answer: D

  Reference:

  https://www.paloaltonetworks.com/documentation/71/panorama/panorama_adminguide/ad minister-panorama/back-up- panorama-and-firewall-configurations

• Question 579:

  Which User-ID method should be configured to map IP addresses to usernames for users connected through a terminal server?

  A. port mapping

  B. server monitoring

  C. client probing

  D. XFF headers

  Correct Answer: A

  https://docs.paloaltonetworks.com/pan-os/8-0/pan-os-admin/user-id/map-ip- addresses-to-users/configure-user-mapping-for-terminal-server-users

• Question 580:

  Which GlobalProtect Client connect method requires the distribution and use of machine certificates?

  A. User-logon (Always on)

  B. At-boot

  C. On-demand

  D. Pre-logon

  Correct Answer: D

  Client certificate refers to user cert, it can be used for 'user-logon'/'on- demand' connect methods. Used to authenticate a user. -Machine certificate refers to device cert, it can be used for 'pre-logon' connect method. This is used to authenticate a device, not a user. https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClFoCAK