Palo Alto Networks Palo Alto Networks Certifications PCNSE Questions & Answers

• Question 61:

  After some firewall configuration changes, an administrator discovers that application identification has started failing. The administrator investigates further and notices that a high number of sessions were going to a discard state with the

  application showing as unknown-tcp.

  Which possible firewall change could have caused this issue?

  A. enabling Forward segments that exceed the TCP App-ID inspection queue in Device > Setup > Content-ID > Content-ID Settings

  B. enabling Forward segments that exceed the TCP content inspection queue in Device > Setup > Content-ID > Content-ID Settings

  C. Jumbo frames were enabled on the firewall, which reduced the App-ID queue size and the number of available packet buffers.

  D. Jumbo frames were disabled on the firewall, which reduced the queue sizes dedicated for out-of-order and application identification.

  Correct Answer: A

• Question 62:

  A network administrator notices there is a false-positive situation after enabling Security profiles. When the administrator checks the threat prevention logs, the related signature displays: threat type: spyware category: dns-c2 threat ID:

  1000011111

  Which set of steps should the administrator take to configure an exception for this signature?

  A. Navigate to Objects > Security Profiles > Anti-Spyware Select related profile Select the signature exceptions tab and then click show all signatures Search related threat ID and click enable Change the default action Commit

  B. Navigate to Objects > Security Profiles > Anti-Spyware Select related profile Select the Exceptions tab and then click show all signatures Search related threat ID and click enable Commit

  C. Navigate to Objects > Security Profiles > Vulnerability Protection Select related profile Select the Exceptions tab and then click show all signatures Search related threat ID and click enable Commit

  D. Navigate to Objects > Security Profiles > Anti-Spyware Select related profile Select DNS exceptions tabs Search related threat ID and click enable Commit

  Correct Answer: D

  A. Navigate to Objects > Security Profiles > Anti-Spyware Select related profile Select the signature exceptions tab and then click show all signatures Search related threat ID and click enable Change the default action Commit there is no option to change default action only enable

  B. Navigate to Objects > Security Profiles > Anti-Spyware Select related profile Select the Exceptions tab and then click show all signatures Search related threat ID and click enable Commit there is no any tab for Exception only signature Exception or DNS exception

  C. Navigate to Objects > Security Profiles > Vulnerability Protection Select related profile Select the Exceptions tab and then click show all signatures Search related threat ID and click enable Commit for sure not vulnerability

  D. Navigate to Objects > Security Profiles > Anti-Spyware Select related profile Select DNS exceptions tabs Search related threat ID and click enable Commit

• Question 63:

  An engineer is attempting to resolve an issue with slow traffic.

  Which PAN-OS feature can be used to prioritize certain network traffic?

  A. Prisma Access for Mobile Users

  B. Forward Error Correction (FEC)

  C. SaaS Quality Profile

  D. Quality of Service (QoS)

  Correct Answer: D

• Question 64:

  An administrator wants to enable Palo Alto Networks cloud services for Device Telemetry and IoT.

  Which type of certificate must be installed?

  A. External CA certificate

  B. Server certificate

  C. Device certificate

  D. Self-signed root CA certificate

  Correct Answer: C

  https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/certificate-management/obtain-certificates/device-certificate

• Question 65:

  Which Palo Alto Networks tool provides configuration heat map displays for security controls?

  A. Expedition

  B. Security Life Cycle Review

  C. Prevention Posture Assessment

  D. Best Practice Assessment

  Correct Answer: D

• Question 66:

  Which three authentication types can be used to authenticate users? (Choose three.)

  A. Local database authentication

  B. PingID

  C. Kerberos single sign-on

  D. GlobalProtect client

  E. Cloud authentication service

  Correct Answer: ACE

  The three authentication types that can be used to authenticate users are:

  A: Local database authentication. This is the authentication type that uses the local user database on the firewall or Panorama to store and verify user credentials1.

  C: Cloud authentication service. This is the authentication type that uses a cloud- based identity provider, such as Okta, PingOne, or PingFederate, to authenticate users and provide SAML assertions to the firewall or Panorama2.

  E: Kerberos single sign-on. This is the authentication type that uses the Kerberos protocol to authenticate users who are logged in to a Windows domain and provide them with seamless access to resources on the firewall or Panorama3.

• Question 67:

  Which three options does Panorama offer for deploying dynamic updates to its managed devices? (Choose three.)

  A. Check dependencies

  B. Schedules

  C. Verify

  D. Revert content

  E. Install

  Correct Answer: BDE

  https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-web-interface-help/panorama-web-interface/panorama-device-deployment/panorama-dynamic-updates-revert-content

• Question 68:

  Given the Sample Log Forwarding Profile shown, which two statements are true? (Choose two.)

  

  A. All traffic from source network 192.168.100.0/24 is sent to an external syslog target.

  B. All threats are logged to Panorama.

  C. All traffic logs from RFC 1918 subnets are logged to Panorama / Cortex Data Lake.

  D. All traffic from source network 172.12.0.0/24 is sent to Panorama / Cortex Data Lake.

  Correct Answer: AC

  B is not correct as it is sent externally not to Panorama D is not correct as it is 172.12 (not 172.16)

• Question 69:

  An engineer is configuring secure web access (HTTPS) to a Palo Alto Networks firewall for management.

  Which profile should be configured to ensure that management access via web browsers is encrypted with a trusted certificate?

  A. A Certificate profile should be configured with a trusted root CA.

  B. An SSL/TLS Service profile should be configured with a certificate assigned.

  C. An Interface Management profile with HTTP and HTTPS enabled should be configured.

  D. An Authentication profile with the allow list of users should be configured.

  Correct Answer: B

  https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClFGCA0

• Question 70:

  

  A QoS profile is configured as shown in the image. The following throughput is realized: Class 3 traffic 325Mbps Class 5 traffic 470Mbps Class 7 traffic: 330Mbps What happens as a result?

  A. Available bandwidth from the unused classes will be used to maintain the Egress Guaranteed throughput for each.

  B. Class 7 traffic will have the most packets dropped in favor of Classes 3 and 5 maintaining their Egress Guaranteed throughput.

  C. All traffic continues to flow based on the overhead in each class's Egress Max settings.

  D. Classes 3, 5, and 7 will each have round-robin packet drops as needed against the profile Egress Max.

  Correct Answer: B

  Priority-Click and select a priority to assign it to a class: real-time high medium low When contention occurs, traffic that is assigned a lower priority is dropped. Real-time priority uses its own separate queue.