Palo Alto Networks PCNSE Online Practice Questions and Exam Preparation

Palo Alto Networks PCNSE Online Questions & Answers

• Question 681:

  An administrator has configured a pair of firewalls using high availability in Active/Passive mode. Link and Path Monitoring Is enabled with the Failure Condition set to "any." There is one link group configured containing member interfaces ethernet1/1 and ethernet1/2 with a Group Failure Condition set to "all."

  Which HA state will the Active firewall go into if ethernet1/1 link goes down due to a failure?

  A. Non-functional
  B. Passive
  C. Active-Secondary
  D. Active
  D. Active

  ---

  Explanation

• Question 682:

  To connect the Palo Alto Networks firewall to AutoFocus, which setting must be enabled?

  A. Device>Setup>Services>AutoFocus
  B. Device> Setup>Management >AutoFocus
  C. AutoFocus is enabled by default on the Palo Alto Networks NGFW
  D. Device>Setup>WildFire>AutoFocus
  E. Device>Setup> Management> Logging and Reporting Settings
  B. Device> Setup>Management >AutoFocus

  ---

  Explanation

  https://www.paloaltonetworks.com/documentation/71/pan-os/pan-os/getting-started/enable-autofocus-threat-intelligence

• Question 683:

  A web server is hosted in the DMZ, and the server is configured to listen for incoming connections only on TCP port 8080. A Security policy rule allowing access from the Trust zone to the DMZ zone need to be configured to enable we browsing access to the server.

  Which application and service need to be configured to allow only cleartext web-browsing traffic to thins server on tcp/8080.

  A. application: web-browsing; service: application-default
  B. application: web-browsing; service: service-https
  C. application: ssl; service: any
  D. application: web-browsing; service: (custom with destination TCP port 8080)
  D. application: web-browsing; service: (custom with destination TCP port 8080)

  ---

  Explanation

  If you check in the FW the default port for web-browsing is TCP 80, so you will need a custom app. admin@PA-LAB-01# show predefined application web-browsing web-browsing { category general-internet; subcategory internet-utility; technology browser-based; analysis 'Web browsing continues to evolve. Initially used to simply view HTML formatted information, web browsers have become the client, through which, users can access new applications that provide functionality far beyond simple information browsing. These applications include web mail, instant messaging, streaming media, web conferencing, blogs, file sharing and other social networkingapplications. Much of the plain web-browsing activities has effectively been overshadowed by all the other applications. } default { port tcp/80; } tunnel-applications http-proxy; risk 4; } [edit]

• Question 684:

  A firewall administrator needs to check which egress interface the firewall will use to route the IP 10.2.5.3. Which command should they use?

  A. test routing fib-lookup ip 10.2.5.0/24 virtual-router default
  B. test routing route ip 10.2.5.3
  C. test routing route ip 10.2.5.3 virtual-router default
  D. test routing fib-lookup ip 10.2.5.3 virtual-router default
  D. test routing fib-lookup ip 10.2.5.3 virtual-router default

  ---

  Explanation

  To determine the egress interface a Palo Alto Networks firewall will use to route a specific IP address, the appropriate command is test routing fib-lookup ip 10.2.5.3 virtual-router default . This command performs a Forwarding Information Base (FIB) lookup for the specified IP address within the context of the specified virtual router, which in this case is the default virtual router. The FIB lookup process checks the routing table and the associated forwarding information to determine the next-hop and the egress interface for the given IP address. This command is instrumental for troubleshooting and verifying routing decisions made by the firewall to ensure that traffic is routed as expected through the network infrastructure.

  https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClYJCA0

• Question 685:

  Which two interface types can be used when configuring GlobalProtect Portal? (Choose two)

  A. Virtual Wire
  B. Loopback
  C. Layer 3
  D. Tunnel
  B. Loopback
  C. Layer 3

  ---

  Explanation

• Question 686:

  An administrator wants to enable zone protection.

  Before doing so, what must the administrator consider?

  A. Activate a zone protection subscription.
  B. To increase bandwidth no more than one firewall interface should be connected to a zone
  C. Security policy rules do not prevent lateral movement of traffic between zones
  D. The zone protection profile will apply to all interfaces within that zone
  D. The zone protection profile will apply to all interfaces within that zone

  ---

  Explanation

  https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/zone-protection-and-dos-protection/how-do-zones-protect-the-network

• Question 687:

  Given the following snippet of a WildFire submission log did the end-user get access to the requested information and why or why not?

  

  A. Yes, because the action is set to alert
  B. No, because this is an example from a defeated phishing attack
  C. No, because the severity is high and the verdict is malicious.
  D. Yes, because the action is set to allow.
  D. Yes, because the action is set to allow.

  ---

  Explanation

  As long as the action is set to allow, then it will still allow it. Threats that have the ability to become critical but have mitigating factors; for example, they may be difficult to exploit, do not result in elevated privileges, or do not have a large victim pool. WildFire Submissions log entries with a malicious verdict and an action set to allow are logged as High. https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/monitoring/view-and-manage-logs/log-types-and-severity-levels/ threat-logs#id5cea1511-a153-4005-9d5f-ab2482e838ae

• Question 688:

  What is the purpose of the firewall decryption broker?

  A. Decrypt SSL traffic a then send it as cleartext to a security chain of inspection tools
  B. Force decryption of previously unknown cipher suites
  C. Inspection traffic within IPsec tunnel
  D. Reduce SSL traffic to a weaker cipher before sending it to a security chain of inspection tools
  A. Decrypt SSL traffic a then send it as cleartext to a security chain of inspection tools

  ---

  Explanation

  https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-new-features/decryption-features/decryption-broker

• Question 689:

  A firewall engineer is managing a Palo Alto Networks NGFW that does not have the DHCP server on DHCP agent configuration.

  Which interface mode can the broadcast DHCP traffic?

  A. Virtual ware
  B. Tap
  C. Layer 2
  D. Layer 3
  B. Tap

  ---

  Explanation

• Question 690:

  DRAG DROP

  Please match the terms to their corresponding definitions.

  Select and Place:

  

  

  Explanation