Palo Alto Networks Palo Alto Networks Certifications PCNSE Questions & Answers

• Question 681:

  Before you upgrade a Palo Alto Networks NGFW, what must you do?

  A. Make sure that the PAN-OS support contract is valid for at least another year

  B. Export a device state of the firewall

  C. Make sure that the firewall is running a version of antivirus software and a version of WildFire that support the licensed subscriptions.

  D. Make sure that the firewall is running a supported version of the app + threat update

  Correct Answer: D

• Question 682:

  An administrator needs to gather information about the firewall CPU utiliza-tion on both the management plane and the data plane. Where does the administrator view the desired data?

  A. Application Command and Control Center

  B. Monitor > Utilization

  C. Support > Resources

  D. System Resources Widget on the Dashboard

  Correct Answer: D

  The System Resources widget on the Dashboard in the WebUI shows both the management plane and data plane CPU utilization as well as other system resources such as memory, disk, and session. The other options do not show both the management plane and data plane CPU utilization. The Application Command and Control Center (ACC) shows the network activity and application usage based on traffic logs. The Monitor > Utilization page shows the interface utilization and packet buffer utilization. The Support > Resources page shows the system resources for Panorama only.

  References: https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-web-interface-help/dashboard/dashboard-widgets https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-web-interface-help/acc/acc-overview https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-web-interface-help/monitor/monitor-utilization https://docs.paloaltonetworks.com/panorama/10-2/panorama-web-interface-help/support/support-resources

• Question 683:

  When you import the configuration of an HA pair into Panorama, how do you prevent the import from affecting ongoing traffic?

  A. Disable HA

  B. Disable the HA2 link

  C. Disable config sync

  D. Set the passive link state to 'shutdown.

  Correct Answer: C

  To prevent the import from affecting ongoing traffic when you import the configuration of an HA pair into Panorama, you should disable config sync on both firewalls. Config sync is a feature that enables the firewalls in an HA pair to

  synchronize their configurations and maintain consistency. However, when you import the configuration of an HA pair into Panorama, you want to avoid any changes to the firewall configuration until you verify and commit the imported

  configuration on Panorama. Therefore, you should disable config sync before importing the configuration, and re-enable it after committing the changes on Panorama.

  References: Migrate a Firewall HA Pair to Panorama Management, PCNSE Study Guide (page 50)

• Question 684:

  To support a new compliance requirement, your company requires positive username attribution of every IP address used by wireless devices You must collect IP address-to- username mappings as soon as possible with minimal downtime and minimal configuration changes to the wireless devices themselves The wireless devices are from various manufacturers.

  Given the scenario, choose the option for sending IP address-to-username mappings to the firewall

  A. UID redistribution

  B. RADIUS

  C. syslog listener

  D. XFF headers

  Correct Answer: C

• Question 685:

  Use the image below. If the firewall has the displayed link monitoring configuration what will cause a failover?

  

  A. ethernet1/3 and ethernet1/6 going down

  B. ethernet1/3 going down

  C. ethernet1/6 going down

  D. ethernet1/3 or ethernet1/6 going down

  Correct Answer: A

  Link Monitoring Failure Condition is All / Link Group also is All. Even with Any / All, Link Group takes precedences... Suppose we have only one entry in the Link group. If the link monitoring has a failure condition of any and Link group has a group failure condition of all, then all is preferred, because whatever's configured in the Link group takes precedence.

• Question 686:

  Which two features require another license on the NGFW? (Choose two.)

  A. SSL Inbound Inspection

  B. SSL Forward Proxy

  C. Decryption Mirror

  D. Decryption Broker

  Correct Answer: CD

• Question 687:

  The UDP-4501 protocol-port is used between which two GlobalProtect components?

  A. GlobalProtect app and GlobalProtect gateway

  B. GlobalProtect portal and GlobalProtect gateway

  C. GlobalProtect app and GlobalProtect satellite

  D. GlobalProtect app and GlobalProtect portal

  Correct Answer: A

  UDP 4501 Used for IPSec tunnel connections between GlobalProtect apps and gateways. https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-admin/firewall- administration/reference-port-number-usage/ports-used-for-globalprotect.html

• Question 688:

  Refer to the diagram.

  

  An administrator needs to create an address object that will be useable by the NYC. MA, CA and WA device groups.

  Where will the object need to be created within the device-group hierarchy?

  A. Americas

  B. US

  C. East

  D. West

  Correct Answer: A

• Question 689:

  Before an administrator of a VM-500 can enable DoS and zone protection, what actions need to be taken?

  A. Measure and monitor the CPU consumption of the firewall data plane to ensure that each firewall is properly sized to support DoS and zone protection

  B. Create a zone protection profile with flood protection configured to defend an entire egress zone against SYN. ICMP ICMPv6, UDP. and other IP flood attacks

  C. Add a WildFire subscription to activate DoS and zone protection features

  D. Replace the hardware firewall because DoS and zone protection are not available with VM-Series systems

  Correct Answer: A

  1 - https://docs.paloaltonetworks.com/best-practices/8-1/dos-and-zone- protection-best-practices/dos-and-zone-protection-best-practices/deploy-dos-and-zone- protection-using-best- practices.html#:~:text=DoS%20and%20Zone% 20Protection%20help,device%20at%20the %20internet%20perimeter.

  2 - https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-admin/zone-protection-and-dos- protection/zone-defense/take-baseline-cps-measurements-for-setting-flood- thresholds/how-to-measure-cps.html https://docs.paloaltonetworks.com/ pan-os/10-1/pan-os-admin/zone-protection-and-dos- protection.html

• Question 690:

  What happens to traffic traversing SD-WAN fabric that doesn't match any SD-WAN policies?

  A. Traffic is dropped because there is no matching SD-WAN policy to direct traffic.

  B. Traffic matches a catch-all policy that is created through the SD-WAN plugin.

  C. Traffic matches implied policy rules and is redistributed round robin across SD-WAN links.

  D. Traffic is forwarded to the first physical interface participating in SD-WAN based on lowest interface number (i.e., Eth1/1 over Eth1/3).

  Correct Answer: C

  If there is no match to any SD-WAN policy rule in the list, the session matches an implied SD-WAN policy rule at the end of the list that uses the round-robin method to distribute unmatched sessions among all links in one SD-WAN interface, which is based on the route lookup.