Palo Alto Networks Palo Alto Networks Certifications PCNSE Questions & Answers

• Question 701:

  What would allow a network security administrator to authenticate and identify a user with a new BYOD-type device that is not joined to the corporate domain?

  A. a Security policy with 'known-user" selected in the Source User field

  B. an Authentication policy with 'unknown' selected in the Source User field

  C. a Security policy with 'unknown' selected in the Source User field

  D. an Authentication policy with 'known-user' selected in the Source User field

  Correct Answer: B

  For a network security administrator to authenticate and identify a user with a new BYOD-type device that is not joined to the corporate domain, the most effective method is to use an Authentication policy targeting users not yet identified by

  the system.

  an Authentication policy with 'unknown' selected in the Source User field:

  An Authentication policy allows the firewall to challenge unidentified users for credentials. By selecting 'unknown' in the Source User field, the policy targets users who have not yet been identified by the firewall, which would include users on

  new BYOD devices not joined to the domain.

  Once the user provides valid credentials, the firewall can authenticate the user and map their identity to subsequent sessions, enabling the application of user-based policy rules and monitoring.

  This approach ensures that new and unknown devices can be properly authenticated and identified without compromising security or requiring the device to be part of the corporate domain.

• Question 702:

  An engineer is in the planning stages of deploying User-ID in a diverse directory services environment. Which server OS platforms can be used for server monitoring with User-ID?

  A. Microsoft Terminal Server, Red Hat Linux, and Microsoft Active Directory

  B. Microsoft Active Directory, Red Hat Linux, and Microsoft Exchange

  C. Microsoft Exchange, Microsoft Active Directory, and Novell eDirectory

  D. Novell eDirectory, Microsoft Terminal Server, and Microsoft Active Directory

  Correct Answer: C

• Question 703:

  An administrator has 750 firewalls The administrator's central-management Panorama instance deploys dynamic updates to the firewalls. The administrator notices that the dynamic updates from Panorama do not appear on some of the firewalls.

  If Panorama pushes the configuration of a dynamic update schedule to managed firewalls, but the configuration does not appear what is the root cause?

  A. Panorama has no connection to Palo Alto Networks update servers

  B. Panorama does not have valid licenses to push the dynamic updates

  C. No service route is configured on the firewalls to Palo Alto Networks update servers

  D. Locally-defined dynamic update settings take precedence over the settings that Panorama pushed

  Correct Answer: D

  Locally defined dynamic updates setting on a managed Palo Alto Networks firewall take preference over the Panorama pushed setting. https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClKQCA0

• Question 704:

  An engineer is creating a security policy based on Dynamic User Groups (DUG). What benefit does this provide?

  A. Automatically include users as members without having to manually create and commit policy or group changes

  B. DUGs are used to only allow administrators access to the management interface on the Palo Alto Networks firewall

  C. It enables the functionality to decrypt traffic and scan for malicious behaviour for User-ID based policies

  D. Schedule commits at a regular intervals to update the DUG with new users matching the tags specified

  Correct Answer: A

  Dynamic user groups help you to create policy that provides auto- remediation for anomalous user behavior and malicious activity while maintaining user visibility. Previously, quarantining users in response to suspicious activity meant time-and resource-consuming updates for all members of the group or updating the IP address-to- username mapping to a label to enforce policy at the cost of user visibility, as well as having to wait until the firewall checked the traffic. Now, you can configure a dynamic user group to automatically include users as members without having to manually create and commit policy or group changes and still maintain user-to-data correlation at the device level before the firewall even scans the traffic. https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-new-features/user-id- features/dynamic-user-groups.html

• Question 705:

  An administrator allocates bandwidth to a Prisma Access Remote Networks compute location with three remote networks. What is the minimum amount of bandwidth the administrator could configure at the compute location?

  A. 90Mbps

  B. 300 Mbps

  C. 75Mbps

  D. 50Mbps

  Correct Answer: D

  The number you specify for the bandwidth applies to both the egress and ingress traffic for the remote network connection. If you specify a bandwidth of 50 Mbps, Prisma Access provides you with a remote network connection with 50 Mbps of bandwidth on ingress and 50 Mbps on egress. Your bandwidth speeds can go up to 10% over the specified amount without traffic being dropped; for a 50 Mbps connection, the maximum bandwidth allocation is 55 Mbps on ingress and 55 Mbps on egress (50 Mbps plus 10% overage allocation). https://docs.paloaltonetworks.com/prisma/prisma-access/prisma-access-panorama- admin/prisma-access-for-networks/how-to-calculate-network-bandwidth

• Question 706:

  What is the best description of the HA4 Keep-Alive Threshold (ms)?

  A. the maximum interval between hello packets that are sent to verify that the HA functionality on the other firewall is operational.

  B. The time that a passive or active-secondary firewall will wait before taking over as the active or active-primary firewall

  C. the timeframe within which the firewall must receive keepalives from a cluster member to know that the cluster member is functional.

  D. The timeframe that the local firewall wait before going to Active state when another cluster member is preventing the cluster from fully synchronizing.

  Correct Answer: C

• Question 707:

  Where is information about packet buffer protection logged?

  A. Alert entries are in the Alarms log Entries for dropped traffic, discarded sessions, and blocked IP address are in the Threat log

  B. All entries are in the System log

  C. Alert entries are in the System log Entries for dropped traffic, discarded sessions and blocked IP addresses are in the Threat log

  D. All entries are in the Alarms log

  Correct Answer: C

  The firewall records alert events in the System log, and records events for dropped traffic, discarded sessions, and blocked IP address in the Threat log.

  https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/zone-protection-and-dos-protection/configure-zone-protection-to-increase-network-security/configure-packet-buffer-protection https://knowledgebase.paloaltonetworks.com/ KCSArticleDetail?id=kA10g000000PNGFCA4

• Question 708:

  A company needs to preconfigure firewalls to be sent to remote sites with the least amount of preconfiguration Once deployed each firewall must establish secure tunnels back to multiple regional data centers to include the future regional data centers.

  Which VPN preconfigured configuration would adapt to changes when deployed to the future site?

  A. IPsec tunnels using IKEv2

  B. PPTP tunnels

  C. GlobalProtect satellite

  D. GlobalProtect client

  Correct Answer: C

  https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-web-interface- help/globalprotect/network-globalprotect-portals/globalprotect-portals-satellite- configuration-tab.html

• Question 709:

  PBF can address which two scenarios? (Select Two)

  A. forwarding all traffic by using source port 78249 to a specific egress interface

  B. providing application connectivity the primary circuit fails

  C. enabling the firewall to bypass Layer 7 inspection

  D. routing FTP to a backup ISP link to save bandwidth on the primary ISP link

  Correct Answer: BD

  Policy-Based Forwarding (PBF) on Palo Alto Networks firewalls allows administrators to define forwarding decisions based on criteria other than the destination IP address, such as the application, source address, or user. It can address

  scenarios like:

  Routing FTP to a backup ISP link to save bandwidth on the primary ISP link: PBF can be configured to identify FTP traffic and route it through a different ISP, preserving bandwidth on the primary link for other critical applications.

  Providing application connectivity when the primary circuit fails: PBF can be used for failover purposes, directing traffic to an alternate path if the primary connection goes down, ensuring continuous application availability.

  PBF is not designed to bypass Layer 7 inspection or forward traffic based solely on source port, as these tasks are managed through different mechanisms within the firewall's operating system.

• Question 710:

  During SSL decryption which three factors affect resource consumption1? (Choose three )

  A. TLS protocol version

  B. transaction size

  C. key exchange algorithm

  D. applications that use non-standard ports

  E. certificate issuer

  Correct Answer: ABC

  https://docs.paloaltonetworks.com/best-practices/8-1/decryption-best- practices/decryption-best-practices/plan-ssl-decryption-best-practice-deployment.html