Palo Alto Networks Palo Alto Networks Certifications PCNSE Questions & Answers

• Question 641:

  An administrator has configured the Palo Alto Networks NGFW's management interface to connect to the internet through a dedicated path that does not traverse back through the NGFW itself. Which configuration setting or step will allow the firewall to get automatic application signature updates?

  A. A scheduler will need to be configured for application signatures.

  B. A Security policy rule will need to be configured to allow the update requests from the firewall to the update servers.

  C. A Threat Prevention license will need to be installed.

  D. A service route will need to be configured.

  Correct Answer: A

  Reference: https://www.paloaltonetworks.com/documentation/80/pan-os/web-interface- help/device/device-dynamic-updates

• Question 642:

  An administrator logs in to the Palo Alto Networks NGFW and reports that the WebUI is missing the Policies tab. Which profile is the cause of the missing Policies tab?

  A. Admin Role

  B. WebUI

  C. Authentication

  D. Authorization

  Correct Answer: A

• Question 643:

  Which three user authentication services can be modified to provide the Palo Alto Networks NGFW with both usernames and role names? (Choose three.)

  A. TACACS+

  B. Kerberos

  C. PAP

  D. LDAP

  E. SAML

  F. RADIUS

  Correct Answer: AEF

  The administrative accounts are DEFINED on an external SAML, TACACS+, or RADIUS server. The server performs both authentication and authorization. For authorization, you define Vendor-Specific Attributes (VSAs) on the TACACS+ or RADIUS server, or SAML attributes on the SAML server. PAN-OS maps the attributes to administrator roles, access domains, user groups, and virtual systems that you define on the firewall. Kerberos, LDAP, and PAP required the admin account to be locally defined on the firewall. https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/firewall- administration/manage-firewall-administrators/administrative-authentication.html

• Question 644:

  In a Panorama template which three types of objects are configurable? (Choose three)

  A. HIP objects

  B. QoS profiles

  C. interface management profiles

  D. certificate profiles

  E. security profiles

  Correct Answer: BCD

  https://docs.paloaltonetworks.com/panorama/9-1/panorama-admin/manage-firewalls/use-case-configure-firewalls-using-panorama/set-up-your-centralized-configuration-and-policies/use-templates-to-administer-a-base-configuration

• Question 645:

  Which three use cases are valid reasons for requiring an Active/Active high availability deployment? (Choose three )

  A. The environment requires real, full-time redundancy from both firewalls at all times

  B. The environment requires Layer 2 interfaces in the deployment

  C. The environment requires that both firewalls maintain their own routing tables for faster dynamic routing protocol convergence

  D. The environment requires that all configuration must be fully synchronized between both members of the HA pair

  E. The environment requires that traffic be load-balanced across both firewalls to handle peak traffic spikes

  Correct Answer: ACE

  Active/Active high availability is a deployment mode that allows both firewalls in an HA pair to actively process traffic and share the load. Active/Active HA is suitable for environments that require real, full-time redundancy from both firewalls at all times, as there is no failover time or session loss in case of a firewall failure. Active/Active HA is also suitable for environments that require that both firewalls maintain their own routing tables for faster dynamic routing protocol convergence, as each firewall can run its own routing protocols and exchange routes with other routers independently. Active/Active HA is also suitable for environments that require that traffic be load-balanced across both firewalls to handle peak traffic spikes, as each firewall can process a portion of the traffic and increase the overall throughput and performance. Active/Active HA is not suitable for environments that require Layer 2 interfaces in the deployment, as Layer 2 interfaces are not supported in Active/Active HA mode. Active/Active HA is also not suitable for environments that require that all configuration must be fully synchronized between both members of the HA pair, as some configuration settings are not synchronized in Active/Active HA mode, such as virtual router configuration, virtual wire configuration, and QoS configuration.

  References: https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/high-availability/set-up-activeactive-ha https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/high-availability/set-up-activeactive-ha/determine-your-activeactive-use-case

• Question 646:

  Which two statements correctly identify the number of Decryption Broker security chains that are supported on a pair of decryption-forwarding interfaces'? (Choose two)

  A. A single transparent bridge security chain is supported per pair of interfaces

  B. L3 security chains support up to 32 security chains

  C. L3 security chains support up to 64 security chains

  D. A single transparent bridge security chain is supported per firewall

  Correct Answer: AD

• Question 647:

  Given the following snippet of a WildFire submission log. did the end-user get access to the requested information and why or why not?

  

  A. Yes. because the action is set to "allow ''

  B. No because WildFire categorized a file with the verdict "malicious"

  C. Yes because the action is set to "alert"

  D. No because WildFire classified the seventy as "high."

  Correct Answer: A

• Question 648:

  What are three tasks that cannot be configured from Panorama by using a template stack? (Choose three)

  A. Change the firewall management IP address

  B. Configure a device block list

  C. Add administrator accounts

  D. Rename a vsys on a multi-vsys firewall

  E. Enable operational modes such as normal mode, multi-vsys mode, or FIPS-CC mode

  Correct Answer: BDE

  https://docs.paloaltonetworks.com/panorama/11-0/panorama-admin/manage-firewalls/manage-templates-and-template-stacks/template-capabilities-and-exceptions

• Question 649:

  An administrator needs firewall access on a trusted interface. Which two components are required to configure certificate based, secure authentication to the web Ul? (Choose two )

  A. certificate profile

  B. server certificate

  C. SSH Service Profile

  D. SSL/TLS Service Profile

  Correct Answer: AB

  To configure certificate-based, secure authentication to the web UI, two components are required: a certificate profile and a server certificate. A certificate profile defines the trusted certificate authorities (CAs) for verifying client certificates and server certificates. A server certificate is a digital certificate that identifies the firewall to clients and servers. The firewall can use a self-signed certificate or a certificate signed by an external CA as the server certificate for web UI access. The server certificate must be assigned to an SSL/TLS service profile, which specifies the SSL/TLS protocol version and cipher suites for secure communication. The SSL/TLS service profile must be selected in the general settings of the firewall management interface.

  References: https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/certificate-management/certificate-profiles https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/certificate-management/generate-a-certificate-on-the-firewall https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClFGCA0 https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/certificate-management/ssl-tls-service-profiles https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/firewall-administration/manage-firewall-administrators/configure-administrative-accounts-and-authentication/configure-certificate-based-administrator-authentication-to-the-webinterface

• Question 650:

  An administrator is using Panorama and multiple Palo Alto Networks NGFWs. After upgrading all devices to the latest PAN-OS?software, the administrator enables log forwarding from the firewalls to PanoramA. Pre-existing logs from the firewalls are not appearing in PanoramA.

  Which action would enable the firewalls to send their pre-existing logs to Panorama?

  A. Use the import option to pull logs.

  B. Export the log database

  C. Use the scp logdb export command

  D. Use the ACC to consolidate the logs

  Correct Answer: B

  https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-cli-quick-start/use-the-cli/use-secure-copy-to-import-and-export-files/export-and-import-a-complete-log-database-logdb