Palo Alto Networks Palo Alto Networks Certifications PCNSE Questions & Answers

• Question 671:

  Which configuration task is best for reducing load on the management plane?

  A. Disable logging on the default deny rule

  B. Enable session logging at start

  C. Disable pre-defined reports

  D. Set the URL filtering action to send alerts

  Correct Answer: C

• Question 672:

  What are two best practices for incorporating new and modified App-IDs? (Choose two.)

  A. Run the latest PAN-OS version in a supported release tree to have the best performance for the new App-IDs

  B. Configure a security policy rule to allow new App-IDs that might have network-wide impact

  C. Perform a Best Practice Assessment to evaluate the impact of the new or modified App- IDs

  D. Study the release notes and install new App-IDs if they are determined to have low impact

  Correct Answer: BD

  https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-admin/app-id/manage- new-app-ids-introduced-in-content-releases/app-id-updates-workflow.html

• Question 673:

  Which protocol is supported by GlobalProtect Clientless VPN?

  A. HTTPS

  B. FTP

  C. RDP

  D. SSH

  Correct Answer: A

  RDP and SSH are proxied through HTML5 wich is HTTPS

  Virtual Desktop Infrastructure (VDI) and Virtual Machine (VM) environments, such as Citrix XenApp and XenDesktop or VMWare Horizon and Vcenter, support access natively through HTML5. You can RDP, VNC, or SSH to these machines

  through Clientless VPN without requiring additional third-party middleware.

  In environments that do not include native support for HTML5 or other web application technologies supported by Clientless VPN, you can use third-party vendors, such as Thinfinity, to RDP through Clientless VPN.

  Reference:

  https://docs.paloaltonetworks.com/globalprotect/10-1/globalprotect-admin/globalprotect-clientless-vpn/supported-technologies

• Question 674:

  In a device group, which two configuration objects are defined? (Choose two )

  A. DNS Proxy

  B. address groups

  C. SSL/TLS profiles

  D. URL Filtering profiles

  Correct Answer: CD

• Question 675:

  When you configure a Layer 3 interface what is one mandatory step?

  A. Configure Security profiles, which need to be attached to each Layer 3 interface

  B. Configure Interface Management profiles which need to be attached to each Layer 3 interface

  C. Configure virtual routers to route the traffic for each Layer 3 interface

  D. Configure service routes to route the traffic for each Layer 3 interface

  Correct Answer: C

  In a Layer 3 deployment, the firewall routes traffic between multiple ports. Before you can Configure Layer 3 Interfaces, you must configure the Virtual Routers that you want the firewall to use to route the traffic for each Layer 3 interface.

  https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-admin/networking/configure-interfaces/layer-3-interfaces.html

• Question 676:

  What are two valid deployment options for Decryption Broker? (Choose two)

  A. Transparent Bridge Security Chain

  B. Layer 3 Security Chain

  C. Layer 2 Security Chain

  D. Transparent Mirror Security Chain

  Correct Answer: AB

  https://docs.paloaltonetworks.com/pan-os/9-1/pan-os- admin/decryption/decryption-broker

• Question 677:

  An administrator needs to implement an NGFW between their DMZ and Core network EIGRP Routing between the two environments is required. Which interface type would support this business requirement?

  A. Layer 3 interfaces but configuring EIGRP on the attached virtual router

  B. Virtual Wire interfaces to permit EIGRP routing to remain between the Core and DMZ

  C. Layer 3 or Aggregate Ethernet interfaces but configuring EIGRP on subinterfaces only

  D. Tunnel interfaces to terminate EIGRP routing on an IPsec tunnel {with the GlobalProtect License to support LSVPN and EIGRP protocols)

  Correct Answer: B

  EIGRP is a Cisco proprietary protocol. The dynamic routing protocols supported on the PAN are RIPv2, OSPF and BGP.

• Question 678:

  An engineer must configure the Decryption Broker feature.

  Which Decryption Broker security chain supports bi-directional traffic flow?

  A. Layer 2 security chain

  B. Layer 3 security chain

  C. Transparent Bridge security chain

  D. Transparent Proxy security chain

  Correct Answer: B

  Together, the primary and secondary interfaces form a pair of decryption forwarding interfaces. Only interfaces that you have enabled to be Decrypt Forward interfaces are displayed here. Your security chain type (Layer 3 or Transparent Bridge) and the traffic flow direction (unidirectional or bidirectional) determine which of the two interfaces forwards allowed, clear text traffic to the security chain, and which interface receives the traffic back from the security chain after it has undergone additional enforcement.

• Question 679:

  In a firewall, which three decryption methods are valid? (Choose three )

  A. SSL Inbound Inspection

  B. SSL Outbound Proxyless Inspection

  C. SSL Inbound Proxy

  D. Decryption Mirror

  E. SSH Proxy

  Correct Answer: ADE

  You can also use Decryption Mirroring to forward decrypted traffic as plaintext to a third party solution for additional analysis and archiving.

  Ref: https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/decryption/decryption- overview.html#idd71f8b4d-cd40-4c6c-905f-2f8c7fca6537

• Question 680:

  When using certificate authentication for firewall administration, which method is used for authorization?

  A. Radius

  B. LDAP

  C. Kerberos

  D. Local

  Correct Answer: D

  Authentication: Certificates Authorization: Local The administrative accounts are local to the firewall, but authentication to the web interface is based on client certificates. You use the firewall to manage role assignments but access domains are not supported.