Palo Alto Networks Palo Alto Networks Certifications PCNSE Questions & Answers

• Question 591:

  An administrator encountered problems with inbound decryption. Which option should the administrator investigate as part of triage?

  A. Security policy rule allowing SSL to the target server

  B. Firewall connectivity to a CRL

  C. Root certificate imported into the firewall with "Trust" enabled

  D. Importation of a certificate from an HSM

  Correct Answer: A

  https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/decryption/configure-ssl- inbound-inspection.html

• Question 592:

  An administrator has been asked to configure a Palo Alto Networks NGFW to provide protection against worms and trojans. Which Security Profile type will protect against worms and trojans?

  A. Anti-Spyware

  B. WildFire

  C. Vulnerability Protection

  D. Antivirus

  Correct Answer: D

  https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-web-interface-help/objects/objects-security-profiles

• Question 593:

  Decrypted packets from the website https://www.microsoft.com will appear as which application and service within the Traffic log?

  A. web-browsing and 443

  B. SSL and 80

  C. SSL and 443

  D. web-browsing and 80

  Correct Answer: A

  We know that SSL decryption is supposed to give us visibility of traffic that would otherwise be encrypted. Therefore, we'd expect decrypted traffic to be identified as the underlying applications, such as web-browsing, facebook-base or other,

  but not as SSL.

  https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000CmdLCAS https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Cle8CAC

• Question 594:

  For which two reasons would a firewall discard a packet as part of the packet flow sequence? (Choose two )

  A. equal-cost multipath

  B. ingress processing errors

  C. rule match with action "allow"

  D. rule match with action "deny"

  Correct Answer: BD

  https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClVHCA0 Denying traffic will discard the packet. Packets can also be discarded due to malformed or incorrect frames, datagrams or packets.

• Question 595:

  Refer to the exhibit.

  

  An administrator is using DNAT to map two servers to a single public IP address. Traffic will be steered to the specific server based on the application, where Host A (10.1.1.100) received HTTP traffic and host B(10.1.1.101) receives SSH traffic.

  Which two security policy rules will accomplish this configuration? (Choose two)

  A. Untrust (Any) to Untrust (10.1.1.1) Ssh-Allow

  B. Untrust (Any) to DMZ (1.1.1.100) Ssh-Allow

  C. Untrust (Any) to DMZ (1.1.1.100) Web-browsing -Allow

  D. Untrust (Any) to Untrust (10.1.1.1) Web-browsing -Allow

  Correct Answer: BC

• Question 596:

  Which log file can be used to identify SSL decryption failures?

  A. Configuration

  B. Threats

  C. ACC

  D. Traffic

  Correct Answer: D

  https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClboCAC

• Question 597:

  A user's traffic traversing a Palo Alto Networks NGFW sometimes can reach http://www.company.com. At other times the session times out. The NGFW has been configured with a PBF rule that the user's traffic matches when it goes to http:// www.company.com.

  How can the firewall be configured automatically disable the PBF rule if the next hop goes down?

  A. Create and add a Monitor Profile with an action of Wait Recover in the PBF rule in question:.

  B. Create and add a Monitor Profile with an action of Fail Over in the PBF rule in question.

  C. Enable and configure a Link Monitoring Profile for the external interface of the firewall.

  D. Configure path monitoring for the next hop gateway on the default route in the virtual router.

  Correct Answer: B

  https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClFiCAK

• Question 598:

  Which feature can be configured on VM-Series firewalls?

  A. aggregate interfaces

  B. machine learning

  C. multiple virtual systems

  D. GlobalProtect

  Correct Answer: D

• Question 599:

  Updates to dynamic user group membership are automatic therefore using dynamic user groups instead of static group objects allows you to:

  A. respond to changes in user behavior or potential threats using manual policy changes

  B. respond to changes in user behavior or potential threats without automatic policy changes

  C. respond to changes in user behavior and confirmed threats with manual policy changes

  D. respond to changes in user behavior or potential threats without manual policy changes

  Correct Answer: D

  https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-new-features/user-id- features/dynamic-user-groups#:~:text=Because%20updates%20to%20dynamic%20user,threats%20without%20m anual%20policy%20changes.

• Question 600:

  Which PAN-OS policy must you configure to force a user to provide additional credentials before he is allowed to access an internal application that contains highly-sensitive business data?

  A. Security policy

  B. Decryption policy

  C. Authentication policy

  D. Application Override policy

  Correct Answer: C

  Authentication policy enables you to authenticate end users before they can access services and applications. Whenever a user requests a service or application (such as by visiting a web page), the firewall evaluates Authentication policy. Based on the matching Authentication policy rule, the firewall then prompts the user to authenticate using one or more methods (factors), such as login and password, Voice, SMS, Push, or One- time Password (OTP) authentication https:// docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/authentication/authentication- policy