Palo Alto Networks PCNSE Online Practice Questions and Exam Preparation

Palo Alto Networks PCNSE Online Questions & Answers

• Question 691:

  An administrator is seeing one of the firewalls in a HA active/passive pair moved to 'suspended" state due to Non-functional loop. Which three actions will help the administrator troubleshool this issue? (Choose three.)

  A. Use the CLI command show high-availability flap-statistics
  B. Check the HA Link Monitoring interface cables.
  C. Check the High Availability > Link and Path Monitoring settings.
  D. Check High Availability > Active/Passive Settings > Passive Link State
  E. Check the High Availability > HA Communications > Packet Forwarding settings.
  A. Use the CLI command show high-availability flap-statistics
  B. Check the HA Link Monitoring interface cables.
  C. Check the High Availability > Link and Path Monitoring settings.

  ---

  Explanation

• Question 692:

  What action does a firewall take when a Decryption profile allows unsupported modes and unsupported traffic with TLS 1.2 protocol traverses the firewall?

  A. It blocks all communication with the server indefinitely.
  B. It downgrades the protocol to ensure compatibility.
  C. It automatically adds the server to the SSL Decryption Exclusion list.
  D. It generates an decryption error message but allows the traffic to continue decryption.
  C. It automatically adds the server to the SSL Decryption Exclusion list.

  ---

  Explanation

• Question 693:

  DRAG DROP

  Match each SD-WAN configuration element to the description of that element.

  Select and Place:

  

  

  Explanation

  An SD-WAN Interface Profile specifies the Tag that you apply to the physical interface, and also specifies the type of Link that interface is (ADSL/DSL, cable modem, Ethernet, fiber, LTE/3G/4G/5G, MPLS, microwave/radio, satellite, WiFi, or other). The Interface Profile is also where you specify the maximum upload and download speeds (in Mbps) of the ISP's connection. You can also change whether the firewall monitors the path frequently or not; the firewall monitors link types appropriately by default. A Layer3 Ethernet Interface with an IPv4 address can support SD-WAN functionalities. You apply an SD-WAN Interface Profile to this interface (red arrow) to indicate the characteristics of the interface. The blue arrow indicates that physical Interfaces are referenced and grouped in a virtual SD-WAN Interface. A virtual SD-WAN Interface is a VPN tunnel or DIA group of one or more interfaces that constitute a numbered, virtual SD-WAN Interface to which you can route traffic. The paths belonging to an SD-WAN Interface all go to the same destination WAN and are all the same type (either DIA or VPN tunnel). (Tag A and Tag B indicate that physical interfaces for the virtual interface can have different tags.) A Path Quality Profile specifies maximum latency, jitter, and packet loss thresholds. Exceeding a threshold indicates that the path has deteriorated and the firewall needs to select a new path to the target. A sensitivity setting of high, medium, or low lets you indicate to the firewall which path monitoring parameter is more important for the applications to which the profile applies. The green arrow indicates that you reference a Path Quality Profile in one or more SD-WAN Policy Rules; thus, you can specify different thresholds for rules applied to packets having different applications, services, sources, destinations, zones, and users. A Traffic Distribution Profile specifies how the firewall determines a new best path if the current preferred path exceeds a path quality threshold. You specify which Tags the distribution method uses to narrow its selection of a new path; hence, the yellow arrow points from Tags to the Traffic Distribution profile. A Traffic Distribution profile specifies the distribution method for the rule. The preceding elements come together in SD-WAN Policy Rules The purple arrow indicates that you reference a Path Qualify Profile and a Traffic Distribution profile in a rule, along with packet applications/services, sources, destinations, and users to specifically indicate when and how the firewall performs application-based SD-WAN path selection for a packet not belonging to a session.

  https://docs.paloaltonetworks.com/sd-wan/1-0/sd-wan-admin/sd-wan-overview/sd-wan-configuration-elements.html

• Question 694:

  Which two factors should be considered when sizing a decryption firewall deployment? (Choose two.)

  A. Number of blocked sessions
  B. TLS protocol version
  C. Encryption algorithm
  D. Number of security zones in decryption policies
  B. TLS protocol version
  C. Encryption algorithm

  ---

  Explanation

  According to the Palo Alto Networks documentation, decryption consumes firewall CPU resources, so it is important to evaluate the amount of SSL decryption that the firewall deployment can support. Two factors that affect the CPU consumption are the TLS protocol version and the encryption algorithm used by the encrypted traffic. The newer versions of TLS (such as TLS 1.3) and the stronger encryption algorithms (such as AES-256-GCM) require more CPU resources to decrypt than the older versions and weaker algorithms. Therefore, the correct answer is B and

  C. The other options are not relevant or important for sizing a decryption firewall deployment: Number of blocked sessions: This option refers to the number of sessions that the firewall blocks based on Security policy rules. It does not affect the decryption performance or resource consumption. Number of security zones in decryption policies: This option refers to the number of security zones that are used to define the source and destination of the traffic to be decrypted. It does not affect the decryption performance or resource consumption.

  References: https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/decryption/prepare-to-deploy-decryption/size-the-decryption-firewall-deployment

• Question 695:

  In a device group, which two configuration objects are defined? (Choose two )

  A. DNS Proxy
  B. address groups
  C. SSL/TLS profiles
  D. URL Filtering profiles
  C. SSL/TLS profiles
  D. URL Filtering profiles

  ---

  Explanation

• Question 696:

  A customer wants to set up a VLAN interface for a Layer 2 Ethernet port.

  Which two mandatory options are used to configure a VLAN interface? (Choose two.)

  A. Virtual router
  B. Security zone
  C. ARP entries
  D. Netflow Profile
  A. Virtual router
  B. Security zone

  ---

  Explanation

  https://www.paloaltonetworks.com/documentation/80/pan-os/web-interface-help/network/network-interfaces/pa-7000-series-layer-2-interface#idd2bcaacc-54b9-4ec9-a1dd-8064499f5b9d

  https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClRqCAK

  VLAN interface is not necessary but in this scenarion we assume it is. Create VLAN object, VLAN interface and VLAN Zone. Attach VLAN interface to VLAN object together with two L2 interfaces then attach VLAN interface to virtual router. Without VLAN interface you can pass traffic between interfaces on the same network and with VLAN interface you can route traffic to other networks.

• Question 697:

  DRAG DROP Match each type of DoS attack to an example of that type of attack

  Select and Place:

  

  

  Explanation

  Plan to defend your network against different types of DoS attacks:

  Application-Based Attacks

  --Target weaknesses in a particular application and try to exhaust its resources so legitimate users can't use it. An example of this is the Slowloris attack.

  Protocol-Based Attacks

  --Also known as state-exhaustion attacks, these attacks target protocol weaknesses. A common example is a SYN flood attack.

  Volumetric Attacks

  --High-volume attacks that attempt to overwhelm the available network resources, especially bandwidth, and bring down the target to prevent legitimate users from accessing those resources. An example of this is a UDP flood attack.

  https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/zone-protection-and-dos-protection/zone-defense.html

• Question 698:

  In a template you can configure which two objects? (Choose two.)

  A. SD WAN path quality profile
  B. application group
  C. IPsec tunnel
  D. Monitor profile
  C. IPsec tunnel
  D. Monitor profile

  ---

  Explanation

• Question 699:

  A firewall engineer creates a source NAT rule to allow the company's internal private network 10.0.0.0/23 to access the internet. However, for security reasons, one server in that subnet (10.0.0.10/32) should not be allowed to access the internet, and therefore should not be translated with the NAT rule.

  Which set of steps should the engineer take to accomplish this objective?

  A. 1. Create a NAT rule (NAT-Rule-1) and set the source address in the original packet to 10.0.0.10/32. 2. Check the box for negate option to negate this IP from the NAT translation.
  B. 1. Create a NAT rule (NAT-Rule-1) and set the source address in the original packet to 10.0.0.0/23. 2. Check the box for negate option to negate this IP subnet from NAT translation.
  C. 1. Create a source NAT rule (NAT-Rule-1) to translate 10.0.0/23 with source address translation set to dynamic IP and port. 2.Create another NAT rule (NAT-Rule-2) with source IP address in the original packet set to 10.0.0.10/32 and source translation set to none. 3.Place (NAT-Rule-2) above (NAT-Rule-1).
  D. 1. Create a source NAT rule (NAT-Rule-1) to translate 10.0.0/23 with source address translation set to dynamic IP and port. 2.Create another NAT rule (NAT-Rule-2) with source IP address in the original packet set to 10.0.0.10/32 and source translation set to none. 3.Place (NAT-Rule-1) above (NAT-Rule-2).
  D. 1. Create a source NAT rule (NAT-Rule-1) to translate 10.0.0/23 with source address translation set to dynamic IP and port. 2.Create another NAT rule (NAT-Rule-2) with source IP address in the original packet set to 10.0.0.10/32 and source translation set to none. 3.Place (NAT-Rule-1) above (NAT-Rule-2).

  ---

  Explanation

  In Palo Alto Networks firewalls, the processing of NAT rules occurs in a top-down fashion, similar to security policies. To exclude a specific IP address from a broader source NAT rule, a more specific NAT rule must be placed above the broader rule.

  Place a more specific NAT rule above the broader one:

  Create a source NAT rule (NAT-Rule-1) to translate the broader network range (10.0.0.0/23) with dynamic IP and port translation. This rule allows the majority of the subnet to access the internet through NAT.

  Create another NAT rule (NAT-Rule-2) with the source IP address in the original packet set specifically to the IP address that should not be translated (10.0.0.10/32). In this rule, set the source translation to none, indicating that this traffic should not be translated and thus not allowed to access the internet.

  Place NAT-Rule-2 above NAT-Rule-1 in the NAT policy list. This ensures that the more specific rule (NAT-Rule-2) is evaluated first. If traffic matches NAT-Rule-2, it will not be translated or allowed to the internet, effectively excluding the specific server from internet access.

  This configuration leverages the principle of specificity and the order of operation in NAT policies to exclude a specific IP address from source NAT translation, thereby preventing it from accessing the internet.

• Question 700:

  Which server platforms can be monitored when a company is deploying User-ID through server monitoring in an environment with diverse directory services?

  A. Novell eDirectory, Microsoft Terminal Server, and Microsoft Active Directory
  B. Red Hat Linux, Microsoft Exchange, and Microsoft Terminal Server
  C. Novell eDirectory, Microsoft Exchange, and Microsoft Active Directory
  D. Red Hat Linux, Microsoft Active Directory, and Microsoft Exchange
  C. Novell eDirectory, Microsoft Exchange, and Microsoft Active Directory

  ---

  Explanation

  First sentence of this article. https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/user-id/user-id-concepts/user-mapping/server-monitoring