Palo Alto Networks Palo Alto Networks Certifications PCNSE Questions & Answers

• Question 581:

  An administrator pushes a new configuration from Panorama to a pair of firewalls that are configured as an active/passive HA pair. Which NGFW receives the configuration from Panorama?

  A. The Passive firewall, which then synchronizes to the active firewall

  B. The active firewall, which then synchronizes to the passive firewall

  C. Both the active and passive firewalls, which then synchronize with each other

  D. Both the active and passive firewalls independently, with no synchronization afterward

  Correct Answer: D

  Palo Alto NetworksPanorama 7.0 Administrator's Guide ?7Manage FirewallsManage Device GroupsManage Device GroupsAdd a Device GroupCreate a Device Group HierarchyCreate Objects for Use in Shared or Device Group PolicyRevert to Inherited Object ValuesManage Unused Shared ObjectsManage Precedence of Inherited ObjectsMove or Clone a Policy Rule or Object to a Different Device GroupSelect a URL Filtering Vendor on PanoramaPush a Policy Rule to a Subset of FirewallsManage the Rule HierarchyAdd a Device GroupAfter adding firewalls (see Add a Firewall as a Managed Device), you can group them into Device Groups (up to 256), as follows. Be sure to assign both firewalls in an active-passive high availability (HA) configuration to the same device group so that Panorama will push the same policy rules and objects to those firewalls. #############PAN-OS doesn't synchronize pushed rules across HA peers.######### To manage rules and objects at different administrative levels in your organization, Create a Device Group Hierarchy.

  https://docs.paloaltonetworks.com/panorama/8-0/panorama-admin/manage-firewalls/transition-a-firewall-to-panorama-management/migrate-a-firewall-ha-pair-to- panorama-management https://knowledgebase.paloaltonetworks.com/ KCSArticleDetail?id=kA10g000000CleOCAS

• Question 582:

  If a template stack is assigned to a device and the stack includes three templates with overlapping settings, which settings are published to the device when the template stack is pushed?

  A. The settings assigned to the template that is on top of the stack.

  B. The administrator will be promoted to choose the settings for that chosen firewall.

  C. All the settings configured in all templates.

  D. Depending on the firewall location, Panorama decides with settings to send.

  Correct Answer: A

  Reference:

  https://www.paloaltonetworks.com/documentation/80/panorama/panorama_adminguide/ma nage-firewalls/manage- templates-and-template-stacks/configure-a-template-stack

• Question 583:

  An administrator creates an SSL decryption rule decrypting traffic on all ports. The administrator also creates a Security policy rule allowing only the applications DNS, SSL, and web-browsing.

  The administrator generates three encrypted BitTorrent connections and checks the Traffic logs. There are three entries. The first entry shows traffic dropped as application Unknown. The next two entries show traffic allowed as application

  SSL.

  Which action will stop the second and subsequent encrypted BitTorrent connections from being allowed as SSL?

  A. Create a decryption rule matching the encrypted BitTorrent traffic with action "No- Decrypt," and place the rule at the top of the Decryption policy.

  B. Create a Security policy rule that matches application "encrypted BitTorrent" and place the rule at the top of the Security policy.

  C. Disable the exclude cache option for the firewall.

  D. Create a Decryption Profile to block traffic using unsupported cyphers, and attach the profile to the decryption rule.

  Correct Answer: D

  https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClRtCAK Block sessions that use cipher suites you don't support. You configure which cipher suites (encryption algorithms) to allow on the SSL Protocol Settings tab. Don't allow users to connect to sites with weak cipher suites.

• Question 584:

  Which CLI command enables an administrator to view details about the firewall including uptime, PAN-OS?version, and serial number?

  A. debug system details

  B. show session info

  C. show system info

  D. show system details

  Correct Answer: C

  https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClZuCAK

  Reference:

  https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/technical- documentation/pan-os-60/PAN-OS-6.0- CLI-ref.pdf

• Question 585:

  Which three steps will reduce the CPU utilization on the management plane? (Choose three.)

  A. Disable SNMP on the management interface.

  B. Application override of SSL application.

  C. Disable logging at session start in Security policies.

  D. Disable predefined reports.

  E. Reduce the traffic being decrypted by the firewall.

  Correct Answer: ACD

  https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000CleLCAS

• Question 586:

  An administrator has configured a QoS policy rule and a QoS profile that limits the maximum allowable bandwidth for the YouTube application. However , YouTube is consuming more than the maximum bandwidth allotment configured. Which configuration step needs to be configured to enable QoS?

  A. Enable QoS Data Filtering Profile

  B. Enable QoS monitor

  C. Enable Qos interface

  D. Enable Qos in the interface Management Profile.

  Correct Answer: C

  https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-web-interface- help/network/network-qos/qos-interface-settings#

  https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/quality-of-service/configure- qos.html

  QoS implementation on a Palo Alto Networks firewall begins with three primary configuration components that support a full QoS solution: a QoS policy, a QoS Profile, and configuration of the QoS egress interface.

• Question 587:

  If an administrator wants to decrypt SMTP traffic and possesses the server's certificate, which SSL decryption mode will allow the Palo Alto Networks NGFW to inspect traffic to the server?

  A. TLS Bidirectional Inspection

  B. SSL Inbound Inspection

  C. SSH Forward Proxy

  D. SMTP Inbound Decryption

  Correct Answer: B

  Reference: https://www.paloaltonetworks.com/documentation/71/pan-os/pan- os/decryption/configure-ssl-inbound-inspection

  1.

  SSL Forward Proxy - Inside to Outside (To the the internet)

  2.

  SSL Inbound Proxy - Outside to Inside (usually towards a hosted webserver in your net)

  3.

  SSH Forward Proxy - As is states, for SSH traffic. The important one to remember for this type of decryption is that no certs are required.

• Question 588:

  An administrator is using Panorama and multiple Palo Alto Networks NGFWs. After upgrading all devices to the latest PAN-OS?software, the administrator enables log forwarding from the firewalls to PanoramA. Pre-existing logs from the firewalls are not appearing in PanoramA.

  Which action would enable the firewalls to send their pre-existing logs to Panorama?

  A. Use the import option to pull logs into Panorama.

  B. A CLI command will forward the pre-existing logs to Panorama.

  C. Use the ACC to consolidate pre-existing logs.

  D. The log database will need to exported form the firewalls and manually imported into Panorama.

  Correct Answer: B

  https://docs.paloaltonetworks.com/pan-os/8-0/pan-os-new- features/management-features/pa-7000-series-firewall-log-forwarding-to-panorama https://docs.paloaltonetworks.com/panorama/9-0/panorama-admin/set-up- panorama/installcontent-and-software-updates-for-panorama/migrate-panorama-logs-to- new-log-format

• Question 589:

  An administrator has been asked to create 100 virtual firewalls in a local, on-premise lab environment (not in "the cloud"). Bootstrapping is the most expedient way to perform this task. Which option describes deployment of a bootstrap package in an on-premise virtual environment?

  A. Use config-drive on a USB stick.

  B. Use an S3 bucket with an ISO.

  C. Create and attach a virtual hard disk (VHD).

  D. Use a virtual CD-ROM with an ISO.

  Correct Answer: D

  Reference: https://www.paloaltonetworks.com/documentation/71/pan- os/newfeaturesguide/management-features/bootstrapping- firewalls-for-rapid- deployment.html https://docs.paloaltonetworks.com/vm-series/9-0/vm-series-deployment/bootstrap-the-vm- series-firewall/bootstrap-package

• Question 590:

  Refer to the exhibit.

  

  Which will be the egress interface if the traffic's ingress interface is ethernet 1/7 sourcing from 192.168.111.3 and to the destination 10.46.41.113?

  A. ethernet1/6

  B. ethernet1/3

  C. ethernet1/7

  D. ethernet1/5

  Correct Answer: D

  PBF is to e1/5, but the current time is not in time schedule. the normal routing will go to e1/3