Palo Alto Networks Palo Alto Networks Certifications PCNSE Questions & Answers

• Question 631:

  Which two benefits come from assigning a Decryption Profile to a Decryption policy rule with a "No Decrypt" action? (Choose two.)

  A. Block sessions with expired certificates

  B. Block sessions with client authentication

  C. Block sessions with unsupported cipher suites

  D. Block sessions with untrusted issuers

  E. Block credential phishing

  Correct Answer: AD

  https://www.paloaltonetworks.com/documentation/71/pan-os/pan- os/decryption/configure-decryption-exceptions Block sessions based on certificate status, including blocking sessions with expired certificates, untrusted issuers, unknown certificate status, certificate status check timeouts, and certificate extensions. Block sessions with unsupported versions and cipher suites, and that require using client authentication. <-- this req client Auth, which is not stated Block sessions if the resources to perform decryption are not available or if a hardware security module is not available to sign certificates. Define the protocol versions and key exchange, encryption, and authentication algorithms allowed for SSL Forward Proxy and SSL Inbound Inspection traffic in the SSL Protocol Settings.

• Question 632:

  A customer wants to set up a site-to-site VPN using tunnel interfaces?

  Which two formats are correct for naming tunnel interfaces? (Choose two.)

  A. Vpn-tunnel.1024

  B. vpn-tunne.1

  C. tunnel 1025

  D. tunnel. 1

  Correct Answer: CD

• Question 633:

  An administrator accidentally closed the commit window/screen before the commit was finished. Which two options could the administrator use to verify the progress or success of that commit task? (Choose two.)

  A. System Logs

  B. Task Manager

  C. Traffic Logs

  D. Configuration Logs

  Correct Answer: AB

  A. System Logs: The system logs contain information about various events that occur on the firewall, including the commit process. The administrator can review the system logs to verify whether the commit completed successfully or whether there were any errors or warnings during the commit process. B. Task Manager: The task manager displays a list of all active tasks on the firewall, including the commit task. The administrator can use the task manager to check the status of the commit task, including whether it is in progress, completed successfully, or failed.

  https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-admin/monitoring/view- and-manage-logs/log-types-and-severity-levels/config-logs https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-web-interface-help/web-interface- basics/taskmanager.html

• Question 634:

  Which logs enable a firewall administrator to determine whether a session was decrypted?

  A. Correlated Event

  B. Traffic

  C. Decryption

  D. Security Policy

  Correct Answer: B

• Question 635:

  Which two options prevent the firewall from capturing traffic passing through it? (Choose two.)

  A. The firewall is in multi-vsys mode.

  B. The traffic is offloaded.

  C. The traffic does not match the packet capture filter.

  D. The firewall's DP CPU is higher than 50%.

  Correct Answer: BC

  Reference: https://www.paloaltonetworks.com/documentation/80/pan-os/pan- os/monitoring/take-packet-captures/disable-hardware- offload

• Question 636:

  Which CLI command can be used to export the tcpdump capture?

  A. scp export tcpdump from mgmt.pcap to

  B. scp extract mgmt-pcap from mgmt.pcap to

  C. scp export mgmt-pcap from mgmt.pcap to

  D. download mgmt.-pcap

  Correct Answer: C

  Reference: https://live.paloaltonetworks.com/t5/Management-Articles/How-To-Packet- Capture-tcpdump-On-Management-Interface/ta- p/55415

• Question 637:

  How does an administrator schedule an Applications and Threats dynamic update while delaying installation of the update for a certain amount of time?

  A. Configure the option for "Threshold".

  B. Disable automatic updates during weekdays.

  C. Automatically "download only" and then install Applications and Threats later, after the administrator approves the update.

  D. Automatically "download and install" but with the "disable new applications" option used.

  Correct Answer: A

  For Antivirus and Applications and Threats updates, you have the option to set a minimum Threshold of time that a content update must be available before the firewall installs it. Very rarely, there can be an error in a content update and this threshold ensures that the firewall only downloads content releases that have been available and functioning in customer environments for the specified amount of time. https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-web-interface-help/ device/device- dynamic-updates

  https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-web-interface-help/device/device- dynamic-updates.html

• Question 638:

  The SSL Forward Proxy decryption policy is configured. The following four certificate authority (CA) certificates are installed on the firewall.

  

  An end-user visits the untrusted website https //www firewall-do-not-trust-website com.

  Which certificate authority (CA) certificate will be used to sign the untrusted webserver certificate?

  A. Forward-Untrust-Certificate

  B. Forward-Trust-Certificate

  C. Firewall-CA

  D. Firewall-Trusted-Root-CA

  Correct Answer: B

• Question 639:

  An administrator needs to troubleshoot a User-ID deployment The administrator believes that there is an issue related to LDAP authentication The administrator wants to create a packet capture on the management plane. Which CLI command should the administrator use to obtain the packet capture for validating the configuration?

  A. > ftp export mgmt-pcap from mgmt.pcap to

  B. > scp export mgmt-pcap from mgmt.pcap to {username@host:path>

  C. > scp export pcap-mgmt from pcap.mgmt to (username@host:path)

  D. > scp export pcap from pcap to (usernameQhost:path)

  Correct Answer: B

• Question 640:

  Several offices are connected with VPNs using static IPv4 routes. An administrator has been tasked with implementing OSPF to replace static routing. Which of following step is required to accomplish this goal?

  A. Assign OSPF Area ID 0.0.0.0 to all Ethernet and tunnel interfaces.

  B. Assign an IP address on each tunnel interface at each site.

  C. Enable OSPFv3 on each tunnel interface and use Area ID 0.0.0.0.

  D. Create new VPN zones at each site to terminate each VPN connection.

  Correct Answer: A