Palo Alto Networks PCNSE Online Practice Questions and Exam Preparation

Palo Alto Networks PCNSE Online Questions & Answers

• Question 621:

  An administrator is receiving complaints about application performance degradation. After checking the ACC. the administrator observes that there Is an excessive amount of SSL traffic.

  Which three elements should the administrator configure to address this issue? (Choose three.)

  A. QoS on the ingress Interface for the traffic flows
  B. An Application Override policy for the SSL traffic
  C. A QoS policy for each application ID
  D. A QoS profile defining traffic classes
  E. QoS on the egress interface for the traffic flows
  C. A QoS policy for each application ID
  D. A QoS profile defining traffic classes
  E. QoS on the egress interface for the traffic flows

  ---

  Explanation

• Question 622:

  A firewall administrator needs to be able to inspect inbound HTTPS traffic on servers hosted in their DMZ to prevent the hosted service from being exploited. Which combination of features can allow PAN-OS to detect exploit traffic in a session with TLS encapsulation?

  A. Decryption policy and a Data Filtering profile
  B. a WildFire profile and a File Blocking profile
  C. Vulnerability Protection profile and a Decryption policy
  D. a Vulnerability Protection profile and a QoS policy
  C. Vulnerability Protection profile and a Decryption policy

  ---

  Explanation

• Question 623:

  A firewall architect is attempting to install a new Palo Alto Networks NGFW. The company has previously had issues moving all administrative functions onto a data plane interface to meet the design limitations of the environment. The architect is able to access the device for HTTPS and SSH; however, the NGFW can neither validate licensing nor get updates. Which action taken by the architect will resolve this issue?

  A. Create a service route that sets the source interface to the data plane interface in question
  B. Validate that all upstream devices will allow and properly route the outbound traffic to the external destinations needed
  C. Create a loopback from the management interface to the data plane interface, then make a service route from the management interface to the data plane interface
  D. Enable OCSP for the data plane interface so the firewall will create a certificate with the data plane interface's IP
  B. Validate that all upstream devices will allow and properly route the outbound traffic to the external destinations needed

  ---

  Explanation

  When administrative functions (e.g., licensing, updates) are moved to a data plane interface, the firewall uses that interface for outbound communication to Palo Alto Networks servers (e.g., licensing and update servers). If HTTPS/SSH work but licensing/updates fail, the issue is likely upstream connectivity. Option B ensures that upstream devices (routers, firewalls) allow and route traffic to required destinations (e.g., updates.paloaltonetworks.com) over ports like 443.

  PAN-OS 11.2 Administrator's Guide, "Device Management" section -Service Routes and Connectivity.

• Question 624:

  To support a new compliance requirement, your company requires positive username attribution of every IP address used by wireless devices You must collect IP address-to-username mappings as soon as possible with minimal downtime and minimal configuration changes to the wireless devices themselves The wireless devices are from various manufacturers.

  Given the scenario, choose the option for sending IP address-to-username mappings to the firewall

  A. UID redistribution
  B. RADIUS
  C. syslog listener
  D. XFF headers
  C. syslog listener

  ---

  Explanation

• Question 625:

  An engineer has been asked to limit which routes are shared by running two different areas within an OSPF implementation. However, the devices share a common link for communication. Which virtual router configuration supports running multiple instances of the OSPF protocol over a single link?

  A. ASBR
  B. ECMP
  C. OSPFv3
  D. OSPF
  C. OSPFv3

  ---

  Explanation

  Support for multiple instances per link--With OSPFv3, you can run multiple instances of the OSPF protocol over a single link. This is accomplished by assigning an OSPFv3 instance ID number. An interface that is assigned to an instance ID drops packets that contain a different ID. https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-networking-admin/ospf/ospf-concepts/ospfv3

• Question 626:

  Click the Exhibit button An administrator has noticed a large increase in bittorrent activity. The administrator wants to determine where the traffic is going on the company.

  

  What would be the administrator's next step?

  A. Right-Click on the bittorrent link and select Value from the context menu
  B. Create a global filter for bittorrent traffic and then view Traffic logs.
  C. Create local filter for bittorrent traffic and then view Traffic logs.
  D. Click on the bittorrent application link to view network activity
  D. Click on the bittorrent application link to view network activity

  ---

  Explanation

• Question 627:

  What best describes the HA Promotion Hold Time?

  A. the time that is recommended to avoid an HA failover due to the occasional flapping of neighboring devices
  B. the time that is recommended to avoid a failover when both firewalls experience the same link/path monitor failure simultaneously
  C. the time that the passive firewall will wait before taking over as the active firewall after communications with the HA peer have been lost
  D. the time that a passive firewall with a low device priority will wait before taking over as the active firewall if the firewall is operational again
  C. the time that the passive firewall will wait before taking over as the active firewall after communications with the HA peer have been lost

  ---

  Explanation

• Question 628:

  An administrator sees several inbound sessions identified as unknown-tcp in the traffic logs. The administrator determines that these sessions are from external users accessing the company's proprietary accounting application. The administrator wants to reliably identify this as their accounting application and to scan this traffic for threats. Which option would achieve this result?

  A. Create an Application Override policy and a custom threat signature for the application
  B. Create an Application Override policy
  C. Create a custom App-ID and use the "ordered conditions" check box
  D. Create a custom App ID and enable scanning on the advanced tab
  D. Create a custom App ID and enable scanning on the advanced tab

  ---

  Explanation

• Question 629:

  Which CLI command displays the current management plane memory utilization?

  A. > debug management-server show
  B. > show running resource-monitor
  C. > show system info
  D. > show system resources
  B. > show running resource-monitor

  ---

  Explanation

• Question 630:

  A company has a policy that denies all applications it classifies as bad and permits only application it classifies as good. The firewall administrator created the following security policy on the company's firewall.

  

  Which two benefits are gained from having both rule 2 and rule 3 presents? (choose two)

  A. A report can be created that identifies unclassified traffic on the network.
  B. Different security profiles can be applied to traffic matching rules 2 and 3.
  C. Rule 2 and 3 apply to traffic on different ports.
  D. Separate Log Forwarding profiles can be applied to rules 2 and 3.
  B. Different security profiles can be applied to traffic matching rules 2 and 3.
  D. Separate Log Forwarding profiles can be applied to rules 2 and 3.

  ---

  Explanation