Palo Alto Networks PCNSE Online Practice Questions and Exam Preparation

Palo Alto Networks PCNSE Online Questions & Answers

• Question 641:

  In an HA failover scenario what occurs when sessions match an SSL Forward Proxy Decryption policy?

  A. HA Sync does not occur the existing session is transferred to the active firewall.
  B. HA Sync does not occur the firewall drops the session.
  C. HA Sync occurs the session is sent to testpath
  D. HA Sync occurs the firewall allows the session Put does not decrypt the session.
  D. HA Sync occurs the firewall allows the session Put does not decrypt the session.

  ---

  Explanation

• Question 642:

  A customer has an application that is being identified as unknown-top for one of their custom PostgreSQL database connections. Which two configuration options can be used to correctly categorize their custom database application? (Choose two.)

  A. Application Override policy.
  B. Security policy to identify the custom application.
  C. Custom application.
  D. Custom Service object.
  A. Application Override policy.
  C. Custom application.

  ---

  Explanation

  Unlike the App-ID engine, which inspects application packet contents for unique signature elements, the Application Override policy's matching conditions are limited to header-based data only. Traffic matched by an Application Override policy is identified by the App-ID entered in the Application entry box.Choices are limited to applications currently in the App-ID database.Because this traffic bypasses all Layer 7 inspection, the resulting security is that of a Layer-4 firewall. Thus, this traffic should be trusted without the need for Content-ID inspection. The resulting application assignment can be used in other firewall functions such as Security policy and QoS.Use CasesThree primary uses cases for Application Override Policy are: To identify "Unknown" App-IDs with a different or custom application signature To re-identify an existing application signature To bypass the Signature Match Engine (within the SP3 architecture) to improve processing timesA discussion of typical uses of application override and specific implementation examples is here:https://live.paloaltonetworks.com/t5/LearningArticles/Tips-amp-Tricks-How-to-Create-an-Application-Override/ta-p/65513

• Question 643:

  Which two actions would be part of an automatic solution that would block sites with untrusted certificates without enabling SSL Forward Proxy? (Choose two.)

  A. Create a no-decrypt Decryption Policy rule.
  B. Configure an EDL to pull IP addresses of known sites resolved from a CRL.
  C. Create a Dynamic Address Group for untrusted sites
  D. Create a Security Policy rule with vulnerability Security Profile attached.
  E. Enable the "Block sessions with untrusted issuers" setting.
  A. Create a no-decrypt Decryption Policy rule.
  E. Enable the "Block sessions with untrusted issuers" setting.

  ---

  Explanation

  https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/decryption/decryption-concepts/no-decryption-decryption-profile

• Question 644:

  Click the Exhibit button below,

  

  A firewall has three PBF rules and a default route with a next hop of 172.20.10.1 that is configured in the default VR. A user named Will has a PC with a 192.168.10.10 IP address. He makes an HTTPS connection to 172.16.10.20.

  Which is the next hop IP address for the HTTPS traffic from Will's PC?

  A. 172.20.30.1
  B. 172.20.40.1
  C. 172.20.20.1
  D. 172.20.10.1
  C. 172.20.20.1

  ---

  Explanation

• Question 645:

  Which conditions must be met when provisioning a high availability (HA) cluster? (Choose two.)

  A. HA cluster members must be the same firewall model and run the same PAN-OS version.
  B. HA cluster members must share the same zone names.
  C. Panorama must be used to manage HA cluster members.
  D. Dedicated HA communication interfaces for the cluster must be used over HSCI interfaces.
  A. HA cluster members must be the same firewall model and run the same PAN-OS version.
  D. Dedicated HA communication interfaces for the cluster must be used over HSCI interfaces.

  ---

  Explanation

• Question 646:

  Which CLI command is used to simulate traffic going through the firewall and determine which Security policy rule, NAT translation, static route, or PBF rule will be triggered by the traffic?

  A. check
  B. find
  C. test
  D. sim
  C. test

  ---

  Explanation

  http://www.shanekillen.com/2014/02/palo-alto-useful-cli-commands.html

  https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClQSCA0

• Question 647:

  You need to allow users to access the office-suite applications of their choice. How should you configure the firewall to allow access to any office-suite application?

  A. Create an Application Group and add Office 365, Evernote Google Docs and Libre Office
  B. Create an Application Group and add business-systems to it.
  C. Create an Application Filter and name it Office Programs, then filter it on the office programs subcategory.
  D. Create an Application Filter and name it Office Programs then filter on the business-systems category.
  C. Create an Application Filter and name it Office Programs, then filter it on the office programs subcategory.

  ---

  Explanation

• Question 648:

  What are three reasons why an installed session can be identified with the application incomplete" tag? (Choose three.)

  A. The TCP connection was terminated without identifying any application data
  B. The client sent a TCP segment with the PUSH flag set
  C. There is not enough application data after the TCP connection was established
  D. The TCP connection did not fully establish
  E. There was no application data after the TCP connection was established
  A. The TCP connection was terminated without identifying any application data
  D. The TCP connection did not fully establish
  E. There was no application data after the TCP connection was established

  ---

  Explanation

  https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClibCAC

• Question 649:

  A host attached to Ethernet 1/4 cannot ping the default gateway. The widget on the dashboard shows Ethernet 1/1 and Ethernet 1/4 to be green. The IP address of Ethernet 1/1 is 192.168.1.7 and the IP address of Ethernet 1/4 is 10.1.1.7. The default gateway is attached to Ethernet 1/1. A default route is properly configured.

  What can be the cause of this problem?

  A. No Zone has been configured on Ethernet 1/4.
  B. Interface Ethernet 1/1 is in Virtual Wire Mode.
  C. DNS has not been properly configured on the firewall.
  D. DNS has not been properly configured on the host.
  A. No Zone has been configured on Ethernet 1/4.

  ---

  Explanation

• Question 650:

  A bootstrap USB flash drive has been prepared using a Linux workstation to load the initial configuration of a Palo Alto Networks firewall. The USB flash drive was formatted using file system ntfs and the initial configuration is stored in a file

  named init-cfg.txt.

  The contents of init-cfg.txt in the USB flash drive are as follows:

  

  The USB flash drive has been inserted in the firewalls' USB port, and the firewall has been powered on. Upon boot, the firewall fails to begin the bootstrapping process. The failure is caused because:

  A. the bootstrap.xml file is a required file, but it is missing
  B. nit-cfg.txt is an incorrect filename, the correct filename should be init-cfg.xml
  C. The USB must be formatted using the ext4 file system
  D. There must be commas between the parameter names and their values instead of the equal symbols
  E. The USB drive has been formatted with an unsupported file system
  E. The USB drive has been formatted with an unsupported file system

  ---

  Explanation

  As per PA it will support FAT32 and ext3 so the correct ans is E ( Unsupported File System )

  The USB flash drive that bootstraps a hardware-based Palo Alto Networks firewall must support one of the

  following:

  ?File Allocation Table 32 (FAT32)

  ?Third Extended File System (ext3)