Palo Alto Networks PCNSE Online Practice Questions and Exam Preparation

Palo Alto Networks PCNSE Online Questions & Answers

• Question 651:

  A firewall administrator requires an A/P HA pair to fail over more quickly due to critical business application uptime requirements.

  What is the correct setting?

  A. Change the HA timer profile to "user-defined" and manually set the timers.
  B. Change the HA timer profile to "fast".
  C. Change the HA timer profile to "aggressive" or customize the settings in advanced profile.
  D. Change the HA timer profile to "quick" and customize in advanced profile.
  C. Change the HA timer profile to "aggressive" or customize the settings in advanced profile.

  ---

  Explanation

  Use the Recommended profile for typical failover timer settings and the Aggressive profile for faster failover timer settings. The Advanced profile allows you to customize the timer values to suit your network requirements. https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/high-availability/ha-concepts/ha-timers.html

• Question 652:

  Which three external authentication services can the firewall use to authenticate admins into the Palo Alto Networks NGFW without creating administrator account on the firewall? (Choose three.)

  A. RADIUS
  B. TACACS+
  C. Kerberos
  D. LDAP
  E. SAML
  A. RADIUS
  B. TACACS+
  E. SAML

  ---

  Explanation

  According to the Palo Alto Networks documentation1, the firewall can use three external authentication services to authenticate admins into the Palo Alto Networks NGFW without creating administrator accounts on the firewall: RADIUS,

  TACACS+, and SAML. These services allow the firewall to verify the credentials of admins against an external server and grant them access based on their assigned roles and permissions.

  Therefore, the correct answer is A, B, and

  E.

  The other options are not external authentication services that the firewall can use to authenticate admins:

  Kerberos: This option is not an external authentication service that the firewall can use to authenticate admins. Kerberos is a protocol that allows users to access network resources using a single sign-on mechanism. The firewall can use

  Kerberos to authenticate users for GlobalProtect VPN or Captive Portal, but not for admin access.

  LDAP: This option is not an external authentication service that the firewall can use to authenticate admins. LDAP is a protocol that allows querying and modifying directory services over a network. The firewall can use LDAP to retrieve user

  and group information from an external server, but not to authenticate admins.

  References:

  https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/authentication/authentication-types/external-authentication-services

  https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/authentication/authentication-types/kerberos-authentication

  https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/user-id/map-ip-addresses-to-users/map-ip-addresses-to-users-using-an-ldap-server

• Question 653:

  Support for which authentication method was added in PAN-OS 8.0?

  A. RADIUS
  B. LDAP
  C. Diameter
  D. TACACS+
  D. TACACS+

  ---

  Explanation

  https://www.paloaltonetworks.com/resources/datasheets/whats-new-in-pan-os-7-1

• Question 654:

  An engineer is deploying multiple firewalls with common configuration in Panorama. What are two benefits of using nested device groups? (Choose two.)

  A. Inherit settings from the Shared group
  B. Inherit IPSec crypto profiles
  C. Inherit all Security policy rules and objects
  D. Inherit parent Security policy rules and objects
  A. Inherit settings from the Shared group
  D. Inherit parent Security policy rules and objects

  ---

  Explanation

  https://docs.paloaltonetworks.com/panorama/9-1/panorama-admin/panorama-overview/centralized-firewall-configuration-and-update-management/device-groups/device-group-hierarchy

• Question 655:

  During the packet flow process, which two processes are performed in application identification? (Choose two.)

  A. Pattern based application identification
  B. Application override policy match
  C. Application changed from content inspection
  D. Session application identified.
  A. Pattern based application identification
  B. Application override policy match

  ---

  Explanation

  https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClVHCA0 http://live.paloaltonetworks.com//t5/image/serverpage/image-id/12862i950F549C7D4E6309

• Question 656:

  Which two options prevent the firewall from capturing traffic passing through it? (Choose two.)

  A. The firewall is in multi-vsys mode.
  B. The traffic is offloaded.
  C. The traffic does not match the packet capture filter.
  D. The firewall's DP CPU is higher than 50%.
  B. The traffic is offloaded.
  C. The traffic does not match the packet capture filter.

  ---

  Explanation

  https://www.paloaltonetworks.com/documentation/80/pan-os/pan-os/monitoring/take-packet-captures/disable-hardware-offload

• Question 657:

  What must be used in Security Policy Rule that contain addresses where NAT policy applies?

  A. Pre-NAT addresse and Pre-NAT zones
  B. Post-NAT addresse and Post-Nat zones
  C. Pre-NAT addresse and Post-Nat zones
  D. Post-Nat addresses and Pre-NAT zones
  C. Pre-NAT addresse and Post-Nat zones

  ---

  Explanation

• Question 658:

  What is the best description of the Cluster Synchronization Timeout (min)?

  A. The maximum interval between hello packets that are sent to verify that the HA functionality on the other firewall is operational
  B. The maximum time that the local firewall waits before going to Active state when another cluster member is preventing the cluster from fully synchronizing
  C. The timeframe within which the firewall must receive keepalives from a cluster member to know that the cluster member is functional
  D. The time that a passive or active-secondary firewall will wait before taking over as the active or active-primary firewall
  B. The maximum time that the local firewall waits before going to Active state when another cluster member is preventing the cluster from fully synchronizing

  ---

  Explanation

  The best description of the Cluster Synchronization Timeout (min) is the maximum time that the local firewall waits before going to Active state when another cluster member is preventing the cluster from fully synchronizing. This is a parameter that can be configured in an HA cluster, which is a group of firewalls that share session state and provide high availability and scalability. The Cluster Synchronization Timeout (min) determines how long the local firewall will wait for the cluster to reach a stable state before it decides to become Active and process traffic. A stable state means that all cluster members are either Active or Passive, and have synchronized their sessions with each other. If there is another cluster member that is in an unknown or unstable state, such as Initializing, Non-functional, or Suspended, then it may prevent the cluster from fully synchronizing and cause a delay in traffic processing. The Cluster Synchronization Timeout (min) can be set to a value between 0 and 30 minutes, with a default of 0. If it is set to 0, then the local firewall will not wait for any other cluster member and will immediately go to Active state. If it is set to a positive value, then the local firewall will wait for that amount of time before going to Active state, unless the cluster reaches a stable state earlier.

  References: Configure HA Clustering, PCNSE Study Guide (page 53)

• Question 659:

  Which feature of PAN-OS SD-WAN allows you to configure a bandwidth-intensive application to go directly to the internet through the branch's ISP link instead of going back to the data-center hub through the VPN tunnel, thus saving WAN bandwidth costs?

  A. SD-WAN Full Mesh with branches only
  B. SD-WAN direct internet access (DIA) links
  C. SD-WAN Interface profile
  D. VPN Cluster
  B. SD-WAN direct internet access (DIA) links

  ---

  Explanation

  https://docs.paloaltonetworks.com/sd-wan/3-0/sd-wan-admin/sd-wan-overview/about-sd-wan

• Question 660:

  A new application server 192.168.197.40 has been deployed in the DMZ. There are no public IP addresses available, resulting in the server sharing NAT IP 198.51.100.88 with another DMZ serve that uses IP address 192.168.197.60.

  Firewall security and NAT rules have been configured. The application team has confirmed that the new server is able to establish a secure connection to an external database with IP address 203.0.113.40.

  The database team reports that they are unable to establish a secure connection to 198.51.100.88 from 203.0.113.40. However, it confirms a successful ping test to 198.51.100.88.

  Referring to the NAT configuration and traffic logs provided how can the firewall engineer resolve the situation and ensure inbound and outbound connections work concurrently for both DMZ servers?

  

  A. Move the NAT rule 6 DMZ server 2 above NAT rule 5 DMZ server 1.
  B. Replace the two NAT rules with a single rule that has both DMZ servers as "Source Address" both external servers as "Destination Address," and Source Translation remaining as is with bidirectional option enabled.
  C. Configure separate source NAT and destination NAT rules for the two DMZ servers without using the bidirectional option.
  D. Sharing a single NAT IP is possible for outbound connectivity not for inbound therefore a new public IP address must be obtained for the new DMZ server and used in the NAT rule 6 DMZ server 2.
  D. Sharing a single NAT IP is possible for outbound connectivity not for inbound therefore a new public IP address must be obtained for the new DMZ server and used in the NAT rule 6 DMZ server 2.

  ---

  Explanation