Palo Alto Networks Palo Alto Networks Certifications PCNSE Questions & Answers

• Question 651:

  When you navigate to Network: > GlobalProtect > Portals > Method section, which three options are available? (Choose three )

  A. user-logon (always on)

  B. pre-logon then on-demand

  C. on-demand (manual user initiated connection)

  D. post-logon (always on)

  E. certificate-logon

  Correct Answer: ABC

• Question 652:

  An administrator plans to deploy 15 firewalls to act as GlobalProtect gateways around the world Panorama will manage the firewalls.

  The firewalls will provide access to mobile users and act as edge locations to on-premises infrastructure.

  The administrator wants to scale the configuration out quickly and wants all of the firewalls to use the same template configuration.

  Which two solutions can the administrator use to scale this configuration? (Choose two.)

  A. variables

  B. template stacks

  C. collector groups

  D. virtual systems

  Correct Answer: AB

  When deploying a large number of firewalls, such as 15 GlobalProtect gateways around the world, it's crucial to have a scalable configuration approach. Panorama offers several features to help scale configurations efficiently:

  Template stacks:

  Template stacks in Panorama allow administrators to create a collection of configuration templates that can be applied to multiple firewalls or device groups. This enables the consistent deployment of shared settings (such as network

  configurations, security profiles, etc.) across all managed firewalls, ensuring uniformity and reducing the effort required to manage individual firewall configurations.

  Variables:

  Variables in Panorama provide a way to customize template configurations for individual firewalls or device groups without altering the overall template. For example, a variable can be used to define a unique IP address, hostname, or other

  specific settings within a shared template. When the template is applied, Panorama replaces the variables with the actual values specified for each device or device group, allowing for customization within a standardized framework.

  By using template stacks and variables, an administrator can rapidly deploy and manage configurations across multiple GlobalProtect gateways, ensuring consistency while still accommodating site-specific requirements. This approach

  streamlines the deployment process and enhances the manageability of a widespread GlobalProtect infrastructure.

  https://docs.paloaltonetworks.com/panorama/10-0/panorama-admin/panorama-overview/centralized-firewall-configuration-and-update-management/templates-and-template-stacks https://docs.paloaltonetworks.com/panorama/10-1/panoramaadmin/manage-firewalls/manage-templates-and-template-stacks/configure-template-or-template-stack- variables.html

• Question 653:

  A network security engineer has applied a File Blocking profile to a rule with the action of Block. The user of a Linux CLI operating system has opened a ticket. The ticket states that the user is being blocked by the firewall when trying to download a TAR file. The user is getting no error response on the system.

  Where is the best place to validate if the firewall is blocking the user's TAR file?

  A. Threat log

  B. Data Filtering log

  C. WildFire Submissions log

  D. URL Filtering log

  Correct Answer: B

  Reference: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClZ1CAK

• Question 654:

  An engineer wants to implement the Palo Alto Networks firewall in VWire mode on the internet gateway and wants to be sure of the functions that are supported on the vwire interface. What are three supported functions on the VWire interface? (Choose three )

  A. NAT

  B. QoS

  C. IPSec

  D. OSPF

  E. SSL Decryption

  Correct Answer: ABE

  https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/networking/configure-interfaces/virtual-wire-interfaces

  "The virtual wire supports blocking or allowing traffic based on virtual LAN (VLAN) tags, in addition to supporting security policy rules, App-ID, Content-ID, User-ID, decryption, LLDP, active/passive and active/active HA, QoS, zone protection (with some exceptions), non-IP protocol protection, DoS protection, packet buffer protection, tunnel content inspection, and NAT."

• Question 655:

  With the default TCP and UDP settings on the firewall what will be me identified application in the following session?

  

  A. incomplete

  B. unknown-tcp

  C. insufficient-data

  D. unknown-udp

  Correct Answer: A

• Question 656:

  An administrator with 84 firewalls and Panorama does not see any WildFire logs in Panorama.

  All 84 firewalls have an active WildFire subscription On each firewall WildFire logs are available.

  This issue is occurring because forwarding of which type of logs from the firewalls to Panorama is missing?

  A. System logs

  B. Traffic logs

  C. WildFire logs

  D. Threat logs

  Correct Answer: C

• Question 657:

  Which statement regarding HA timer settings is true?

  A. Use the Recommended profile for typical failover timer settings

  B. Use the Moderate profile for typical failover timer settings

  C. Use the Aggressive profile for slower failover timer settings.

  D. Use the Critical profile for faster failover timer settings.

  Correct Answer: A

  https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/high-availability/ha-concepts/ha-timers

• Question 658:

  A superuser is tasked with creating administrator accounts for three contractors For compliance purposes, all three contractors will be working with different device-groups in their hierarchy to deploy policies and objects.

  Which type of role-based access is most appropriate for this project?

  A. Create a Dynamic Admin with the Panorama Administrator role

  B. Create a Custom Panorama Admin

  C. Create a Device Group and Template Admin

  D. Create a Dynamic Read only superuser

  Correct Answer: C

  A Custom Panorama Admin is a type of role-based access that allows a super user to create separate Panorama administrator accounts for each of the three contractors. This will allow each contractor to work with different device-groups in their hierarchy and deploy policies and objects in accordance with the organization's compliance requirements. The Custom Panorama Admin role also allows the super user to assign separate permissions to each contractor's account, granting them access to only the resources they are authorized to use. This type of role-based access is the most appropriate for this project as it will ensure that each contractor is only able to access the resources they need in order to do their job.

• Question 659:

  A network-security engineer attempted to configure a bootstrap package on Microsoft Azure, but the virtual machine provisioning process failed. In reviewing the bootstrap package, the engineer only had the following directories: /config, / license and /software.

  Why did the bootstrap process fail for the VM-Series firewall in Azure?

  A. All public cloud deployments require the /plugins folder to support proper firewall native integrations

  B. The /content folder is missing from the bootstrap package

  C. The VM-Series firewall was not pre-registered in Panorama and prevented the bootstrap process from successfully completing

  D. The /config or /software folders were missing mandatory files to successfully bootstrap

  Correct Answer: B

• Question 660:

  Based on the graphic, which statement accurately describes the output shown in the Server Monitoring panel?

  

  A. The User-ID agent is connected to a domain controller labeled lab-client.

  B. The host lab-client has been found by the User-ID agent.

  C. The host lab-client has been found by a domain controller.

  D. The User-ID agent is connected to the firewall labeled lab-client.

  Correct Answer: A

  The User-ID agent is connected to a domain controller labeled lab-client.