Palo Alto Networks Palo Alto Networks Certifications PCNSE Questions & Answers

• Question 621:

  The firewall determines if a packet is the first packet of a new session or if a packet is part of an existing session using which kind of match?

  A. 6-tuple match: Source IP Address, Destination IP Address, Source port, Destination Port, Protocol, and Source Security Zone

  B. 5-tuple match: Source IP Address, Destination IP Address, Source port, Destination Port, Protocol

  C. 7-tuple match: Source IP Address, Destination IP Address, Source port, Destination Port, Source User, URL Category, and Source Security Zone

  D. 9-tuple match: Source IP Address, Destination IP Address, Source port, Destination Port, Source User, Source Security Zone, Destination Security Zone, Application, and URL Category

  Correct Answer: A

  https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClVECA0 On a Palo Alto Networks firewall, a session is defined by two uni-directional flows each uniquely identified by a 6-tuple key: source-address, destination-address, source-port, destination-port, protocol, and security-zone.

• Question 622:

  To protect your firewall and network from single source denial of service (DoS) attacks that can overwhelm its packet buffer and cause legitimate traffic to drop, you can configure.

  A. BGP (Border Gateway Protocol)

  B. PBP (Packet Buffer Protection)

  C. PGP (Packet Gateway Protocol)

  D. PBP (Protocol Based Protection)

  Correct Answer: D

• Question 623:

  A customer wants to combine multiple Ethernet interfaces into a single virtual interface using link aggregation. Which two formats are correct for naming aggregate interfaces? (Choose two.)

  A. ae.8

  B. aggregate.1

  C. ae.1

  D. aggregate.8

  Correct Answer: AC

  https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-web-interface- help/network/network-interfaces/aggregate-ethernet-ae-interface-group.html

• Question 624:

  Which two virtualization platforms officially support the deployment of Palo Alto Networks VM-Series firewalls? (Choose two.)

  A. Red Hat Enterprise Virtualization (RHEV)

  B. Kernel Virtualization Module (KVM)

  C. Boot Strap Virtualization Module (BSVM)

  D. Microsoft Hyper-V

  Correct Answer: BD

  Reference: https://www.paloaltonetworks.com/products/secure-the-network/virtualized- next-generation-firewall/vm-series docs.paloaltonetworks.com/vm-series/8-0/vm-series-deployment/about-the-vm-series- firewall/vm-series-deployments

• Question 625:

  Based on the image, what caused the commit warning?

  

  A. The CA certificate for FWDtrust has not been imported into the firewall.

  B. The FWDtrust certificate has not been flagged as Trusted Root CA.

  C. SSL Forward Proxy requires a public certificate to be imported into the firewall.

  D. The FWDtrust certificate does not have a certificate chain.

  Correct Answer: A

• Question 626:

  A session in the Traffic log is reporting the application as "incomplete." What does "incomplete" mean?

  A. The three-way TCP handshake was observed, but the application could not be identified.

  B. The three-way TCP handshake did not complete.

  C. The traffic is coming across UDP, and the application could not be identified.

  D. Data was received but was instantly discarded because of a Deny policy was applied before App-ID could be applied.

  Correct Answer: B

  https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClibCAC

• Question 627:

  In which two types of deployment is active/active HA configuration supported? (Choose two.)

  A. TAP mode

  B. Layer 2 mode

  C. Virtual Wire mode

  D. Layer 3 mode

  Correct Answer: CD

  Active/Active-- Both firewalls in the pair are active and processing traffic and work synchronously to handle session setup and session ownership. Both firewalls individually maintain session tables and routing tables and synchronize to each

  other. Active/active HA is supported in virtual wire and Layer 3 deployments. https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-admin/high-availability/ha- concepts/ha-modes https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-admin/

  high-availability/ha- concepts/hamodes#:~:text=Active%2Fpassive%20HA%20is%20supported,such%20as%20IPSec%20s ecurity%20associations.

• Question 628:

  Which Panorama administrator types require the configuration of at least one access domain? (Choose two)

  A. Dynamic

  B. Custom Panorama Admin

  C. Role Based

  D. Device Group

  E. Template Admin

  Correct Answer: DE

  https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClETCA0

• Question 629:

  Which version of GlobalProtect supports split tunneling based on destination domain, client process, and HTTP/HTTPS video streaming application?

  A. GlobalProtect version 4.0 with PAN-OS 8.1

  B. GlobalProtect version 4.1 with PAN-OS 8.1

  C. GlobalProtect version 4.1 with PAN-OS 8.0

  D. GlobalProtect version 4.0 with PAN-OS 8.0

  Correct Answer: B

• Question 630:

  Which is the maximum number of samples that can be submitted to WildFire per day, based on wildfire subscription?

  A. 15,000

  B. 10,000

  C. 75,00

  D. 5,000

  Correct Answer: B

  https://docs.paloaltonetworks.com/wildfire/9-0/wildfire-admin/submit-files-for- wildfire-analysis/manually-upload-files-to-the-wildfire- portal.html#:~:text=All%20Palo%20Alto%20Networks%20customers,a%20day%20for%20 WildFire%

  20analysis.

  "The WildFire API supports up to 1,000 file submissions and up to 10,000 queries a day." https://docs.paloaltonetworks.com/wildfire/9-0/wildfire-admin/wildfire-overview/wildfire- subscription https://docs.paloaltonetworks.com/wildfire/10-0/

  wildfire-admin/submit-files-for-wildfire- analysis/manually-upload-files-to-the-wildfire-portal.html