Palo Alto Networks Palo Alto Networks Certifications PCNSE Questions & Answers

• Question 601:

  During the packet flow process, which two processes are performed in application identification? (Choose two.)

  A. Pattern based application identification

  B. Application override policy match

  C. Application changed from content inspection

  D. Session application identified.

  Correct Answer: AB

  https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClVHCA0 http://live.paloaltonetworks.com//t5/image/serverpage/image-id/12862i950F549C7D4E6309

• Question 602:

  Which three firewall states are valid? (Choose three.)

  A. Active

  B. Functional

  C. Pending

  D. Passive

  E. Suspended

  Correct Answer: ADE

  Reference: https://www.paloaltonetworks.com/documentation/71/pan-os/pan-os/high- availability/ha-firewall-states https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-admin/high-availability/ha-firewall- states.html

• Question 603:

  The certificate information displayed in the following image is for which type of certificate? Exhibit:

  

  A. Forward Trust certificate

  B. Self-Signed Root CA certificate

  C. Web Server certificate

  D. Public CA signed certificate

  Correct Answer: B

• Question 604:

  Which two features can be used to tag a username so that it is included in a dynamic user group? (Choose two)

  A. log forwarding auto-tagging

  B. GlobafProtect agent

  C. User-ID Windows-based agent

  D. XML API

  Correct Answer: AC

  https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/policy/register- ip-addresses-and-tags-dynamically.html

  You can enable the dynamic registration process using any of the following options:

  User-ID agent for Windows*

  VM Information Sources

  Panorama Plugin

  VMware Service Manager

  XML API*

  Auto-Tag*

  https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/datasheets/educatio n/pcnse-study-guide.pdf

  Usernames can also be tagged and untagged using the auto-tagging feature in a Log Forwarding Profile. You also can program another utility to invoke PAN-OS XML API commands to tag or untag usernames.

• Question 605:

  An administrator needs to upgrade an NGFW to the most current version of PAN-OS?software. The following is occurring:

  Firewall has Internet connectivity through e1/1.

  Default security rules and security rules allowing all SSL and web-browsing traffic to and from any zone.

  Service route is configured, sourcing update traffic from e1/1.

  A communication error appears in the System logs when updates are performed.

  Download does not complete.

  What must be configured to enable the firewall to download the current version of PAN-OS software?

  A. DNS settings for the firewall to use for resolution

  B. scheduler for timed downloads of PAN-OS software

  C. static route pointing application PaloAlto-updates to the update servers

  D. Security policy rule allowing PaloAlto-updates as the application

  Correct Answer: D

• Question 606:

  Which User-ID method maps IP addresses to usernames for users connecting through a web proxy that has already authenticated the user?

  A. syslog listening

  B. Port Mapping

  C. Client Probing

  D. Server Monitoring

  Correct Answer: A

  https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/user-id/map-ip-addresses-to-users/configure-user-id-to-monitor-syslog-senders-for-user-mapping/configure-the-pan-os-integrated-user-id-agent-as-a-syslog-listener#id91eb3abd43c1-4969-8a5f-df032685e277

• Question 607:

  An administrator creates a custom application containing Layer 7 signatures. The latest application and threat dynamic update is downloaded to the same NGFW. The update contains an application that matches the same traffic signatures as the custom application.

  Which application should be used to identify traffic traversing the NGFW?

  A. Custom application

  B. System logs show an application error and neither signature is used.

  C. Downloaded application

  D. Custom and downloaded application signature files are merged and both are used

  Correct Answer: C

• Question 608:

  Which three options are supported in HA Lite? (Choose three.)

  A. Virtual link

  B. Active/passive deployment

  C. Synchronization of IPsec security associations

  D. Configuration synchronization

  E. Session synchronization

  Correct Answer: BCD

  "The PA-200 firewall supports HA Lite only. HA Lite is an active/passive deployment that provides configuration synchronization and some runtime data synchronization such as IPSec security associations. It does not support any session synchronization (HA2), and therefore does not offer stateful failover."

  Reference: https://www.paloaltonetworks.com/documentation/80/pan-os/web-interface- help/device/device-high-availability/ha-lite

• Question 609:

  An administrator has been asked to configure active/active HA for a pair of Palo Alto Networks NGFWs. The firewall use Layer 3 interfaces to send traffic to a single gateway IP for the pair. Which configuration will enable this HA scenario?

  A. The two firewalls will share a single floating IP and will use gratuitous ARP to share the floating IP.

  B. Each firewall will have a separate floating IP, and priority will determine which firewall has the primary IP.

  C. The firewalls do not use floating IPs in active/active HA.

  D. The firewalls will share the same interface IP address, and device 1 will use the floating IP if device 0 fails.

  Correct Answer: A

  Each HA firewall interface has its own IP address and floating IP. The interface IP address remains local to the firewall, but the floating IP address moves between the firewalls upon firewall failure. You configure the end hosts to use a floating IP address as its default gateway, thus allowing you to load balance traffic to the two HA peers. You also can use external load balancers to load balance traffic.If a link or firewall fails or a path monitoring event causes a failover, the floating IP address and virtual MAC address move over to the functional firewall. (In the figure that follows, each firewall has two floating IP addresses and virtual MAC addresses; they all move over if the firewall fails.) The functioning firewall sends a gratuitous ARP to update the MAC tables of the connected switches to inform them of the change in floating IP address and MAC address ownership to redirect traffic to itself.

• Question 610:

  Which option would an administrator choose to define the certificate and protocol that Panorama and its managed devices use for SSL/TLS services?

  A. Configure a Decryption Profile and select SSL/TLS services.

  B. Set up SSL/TLS under Polices > Service/URL Category>Service.

  C. Set up Security policy rule to allow SSL communication.

  D. Configure an SSL/TLS Profile.

  Correct Answer: D

  Reference: https://www.paloaltonetworks.com/documentation/80/pan-os/web-interface- help/device/device-certificate-management- ssltls-service-profile