Palo Alto Networks PCNSE Online Practice Questions and Exam Preparation

Palo Alto Networks PCNSE Online Questions & Answers

• Question 671:

  Which three steps will reduce the CPU utilization on the management plane? (Choose three.)

  A. Disable SNMP on the management interface.
  B. Application override of SSL application.
  C. Disable logging at session start in Security policies.
  D. Disable predefined reports.
  E. Reduce the traffic being decrypted by the firewall.
  A. Disable SNMP on the management interface.
  C. Disable logging at session start in Security policies.
  D. Disable predefined reports.

  ---

  Explanation

  https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000CleLCAS

• Question 672:

  How can a firewall be set up to automatically block users as soon as they are found to exhibit malicious behavior via a threat log?

  A. Configure a dynamic address group for the addresses to be blocked with the tag "malicious." Add a Log Forwarding profile to the other policies, which adds the "malicious" tag to these addresses when logs are generated in the threat log. Under Device > User Identification > Trusted Source Address, add the condition "NOT malicious."
  B. Configure a dynamic user group for the users to be blocked with the tag "malicious." Add a Log Forwarding profile to the other policies, which adds the "malicious" tag to these users when logs are generated in the threat log. Create policies to block traffic from this user group.
  C. Configure the appropriate security profiles for Antivirus, Anti-Spyware, and Vulnerability Prevention, create signature policies for the relevant signatures and/or severities. Under the "Actions" tab in "Signature Policies," select "block-user."
  D. N/A
  B. Configure a dynamic user group for the users to be blocked with the tag "malicious." Add a Log Forwarding profile to the other policies, which adds the "malicious" tag to these users when logs are generated in the threat log. Create policies to block traffic from this user group.

  ---

  Explanation

  To block users dynamically based on threat log activity, dynamic user groups (DUGs) with tagging provide an automated solution. Option B configures a DUG with a "malicious" tag, a Log Forwarding profile to tag users in the threat log (e.g.,

  via threat intelligence), and a Security policy to block the tagged group. This leverages User-ID and is ideal for user-based blocking.

  PAN-OS 11.2 Administrator's Guide, "User-ID" section -Dynamic User Groups; "Policies" section -Log Forwarding.

• Question 673:

  An administrator device-group commit push is tailing due to a new URL category How should the administrator correct this issue?

  A. verify that the URL seed Tile has been downloaded and activated on the firewall
  B. change the new category action to alert" and push the configuration again
  C. update the Firewall Apps and Threat version to match the version of Panorama
  D. ensure that the firewall can communicate with the URL cloud
  C. update the Firewall Apps and Threat version to match the version of Panorama

  ---

  Explanation

  https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PNqw

• Question 674:

  Your company has to Active Directory domain controllers spread across multiple WAN links All users authenticate to Active Directory Each link has substantial network bandwidth to support all mission-critical applications. The firewalls management plane is highly utilized.

  Given this scenario which type of User-ID agent is considered a best practice by Palo Alto Networks?

  A. PAN-OS integrated agent
  B. Captive Portal
  C. Citrix terminal server agent with adequate data-plane resources
  D. Windows-based User-ID agent on a standalone server
  D. Windows-based User-ID agent on a standalone server

  ---

  Explanation

• Question 675:

  You have upgraded your Panorama and Log Collectors lo 10.2 x. Before upgrading your firewalls using Panorama, what do you need do?

  A. Refresh your licenses with Palo Alto Network Support -Panorama/Licenses/Retrieve License Keys from License Server.
  B. Re-associate the firewalls in Panorama/Managed Devices/Summary.
  C. Commit and Push the configurations to the firewalls.
  D. Refresh the Mastor Key in Panorama/Master Key and Diagnostic
  C. Commit and Push the configurations to the firewalls.

  ---

  Explanation

• Question 676:

  To protect your firewall and network from single source denial of service (DoS) attacks that can overwhelm its packet buffer and cause legitimate traffic to drop, you can configure.

  A. BGP (Border Gateway Protocol)
  B. PBP (Packet Buffer Protection)
  C. PGP (Packet Gateway Protocol)
  D. PBP (Protocol Based Protection)
  D. PBP (Protocol Based Protection)

  ---

  Explanation

• Question 677:

  A user at an external system with the IP address 65.124.57.5 queries the DNS server at 4. 2.2.2 for the IP address of the web server, www,xyz.com. The DNS server returns an address of 172.16.15.1

  In order to reach Ire web server, which Security rule and NAT rule must be configured on the firewall?

  

  A. NAT Rule: Untrust-L3 (any) -Untrust-L3 (172.16.15.1) Destination Translation: 192.168.15.47 Security Rule: Untrust-L3 (any) -Trust-L3 (172.16.15.1) -Application: Web-browsing
  B. NAT Rule: Untrust-L3 (any) -Trust-L3 (172.16.15.1) Destination Translation: 192.168.15.47 Security Rule: Untrust-L3 (any) -Trust-L3 (192.168.15.47) -Application: Web-browsing
  C. NAT Rule: Untrust-L3 (any) -Trust-L3 (172.16.15.1) Destination Translation: 192.168.15.47 Security Rule: Untrust-L3 (any) -Trust-L3 (172.16.15.1) -Application: Web-browsing
  D. NAT Rule: Untrust-L3 (any) -Untrust-L3 (any) Destination Translation: 192.168.15.1 Security Rule: Untrust-L3 (any) -Trust-L3 (172.16.15.1) -Application: Web-browsing
  A. NAT Rule: Untrust-L3 (any) -Untrust-L3 (172.16.15.1) Destination Translation: 192.168.15.47 Security Rule: Untrust-L3 (any) -Trust-L3 (172.16.15.1) -Application: Web-browsing

  ---

  Explanation

• Question 678:

  Which firewall feature do you need to configure to query Palo Alto Networks service updates over a data-plane interface instead of the management interface?

  A. service route
  B. data redistribution
  C. SNMP setup
  D. dynamic updates
  A. service route

  ---

  Explanation

  Service route is used when you need to modify the interface (management by default) from which to reach certain services.

• Question 679:

  In URL filtering, which component matches URL patterns?

  A. live URL feeds on the management plane
  B. security processing on the data plane
  C. signature matching on the data plane
  D. single-pass pattern matching on the data plane
  B. security processing on the data plane

  ---

  Explanation

• Question 680:

  Which option would an administrator choose to define the certificate and protocol that Panorama and its managed devices use for SSL/TLS services?

  A. Configure a Decryption Profile and select SSL/TLS services.
  B. Set up SSL/TLS under Polices > Service/URL Category>Service.
  C. Set up Security policy rule to allow SSL communication.
  D. Configure an SSL/TLS Profile.
  D. Configure an SSL/TLS Profile.

  ---

  Explanation

  https://www.paloaltonetworks.com/documentation/80/pan-os/web-interface-help/device/device-certificate-management-ssltls-service-profile