Palo Alto Networks PCNSE Online Practice Questions and Exam Preparation

Palo Alto Networks PCNSE Online Questions & Answers

• Question 701:

  View the screenshots. A QoS profile and policy rules are configured as shown. Based on this information, which two statements are correct? (Choose two.)

  

  A. DNS has a higher priority and more bandwidth than SSH.
  B. Google-video has a higher priority and more bandwidth than WebEx.
  C. SMTP has a higher priority but lower bandwidth than Zoom.
  D. Facetime has a higher priority but lower bandwidth than Zoom.
  A. DNS has a higher priority and more bandwidth than SSH.
  D. Facetime has a higher priority but lower bandwidth than Zoom.

  ---

  Explanation

• Question 702:

  Which option is part of the content inspection process?

  A. Packet forwarding process
  B. SSL Proxy re-encrypt
  C. IPsec tunnel encryption
  D. Packet egress process
  B. SSL Proxy re-encrypt

  ---

  Explanation

  http://live.paloaltonetworks.com//t5/image/serverpage/image-id/12862i950F549C7D4E6309

• Question 703:

  If an administrator wants to decrypt SMTP traffic and possesses the server's certificate, which SSL decryption mode will allow the Palo Alto Networks NGFW to inspect traffic to the server?

  A. TLS Bidirectional Inspection
  B. SSL Inbound Inspection
  C. SSH Forward Proxy
  D. SMTP Inbound Decryption
  B. SSL Inbound Inspection

  ---

  Explanation

  https://www.paloaltonetworks.com/documentation/71/pan-os/pan-os/decryption/configure-ssl-inbound-inspection

  1.SSL Forward Proxy -Inside to Outside (To the the internet)

  2.SSL Inbound Proxy -Outside to Inside (usually towards a hosted webserver in your net)

  3.SSH Forward Proxy -As is states, for SSH traffic. The important one to remember for this type of decryption is that no certs are required.

• Question 704:

  A firewall administrator has been asked to configure a Palo Alto Networks NGFW to prevent against compromised hosts trying to phone-home or beacon out to external command-and-control (C2) servers. Which security Profile type will prevent these behaviors?

  A. WildFire
  B. Anti-Spyware
  C. Vulnerability Protection
  D. Antivirus
  B. Anti-Spyware

  ---

  Explanation

  https://www.paloaltonetworks.com/documentation/71/pan-os/pan-os/policy/anti-spyware-profiles Anti-Spyware profiles blocks spyware on compromised hosts from trying to phone-home or beacon out to external command-and-control (C2) servers, allowing you to detect malicious traffic leaving the network from infected clients. You can apply various levels of protection between zones. For example, you may want to have custom Anti-Spyware profiles that minimize inspection between trusted zones, while maximizing inspection on traffic received from an untrusted zone, such as internet-facing zones.

  https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-admin/policy/security-profiles

• Question 705:

  A firewall should be advertising the static route 10 2 0 0/24 into OSPF The configuration on the neighbor is correct but the route is not in the neighbor's routing table.

  Which two configurations should you check on the firewall'? (Choose two )

  A. Within the redistribution profile ensure that Redist is selected
  B. In the redistribution profile check that the source type is set to "ospf"
  C. In the OSFP configuration ensure that the correct redistribution profile is selected in the OSPF Export Rules section
  D. Ensure that the OSPF neighbor state is "2-Way"
  A. Within the redistribution profile ensure that Redist is selected
  C. In the OSFP configuration ensure that the correct redistribution profile is selected in the OSPF Export Rules section

  ---

  Explanation

  https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-web-interface-help/network/network-virtual-routers/ospf/ospf-export-rules-tab

  https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClGTCA0

• Question 706:

  An engineer needs to permit XML API access to a firewall for automation on a network segment that is routed through a Layer 3 subinterface on a Palo Alto Networks firewall. However this network segment cannot access the dedicated management interface due to the Security policy.

  Without changing the existing access to the management interface how can the engineer fulfill this request?

  A. Enable HTTPS in an Interface Management profile on the subinterface
  B. Add the network segment's IP range to the Permitted IP Addresses list
  C. Specify the subinterface as a management interface in Setup > Device > Interfaces
  D. Configure a service route for HTTP to use the subinterface
  A. Enable HTTPS in an Interface Management profile on the subinterface

  ---

  Explanation

  To enable XML API access to a firewall for automation from a network segment routed through a Layer 3 sub-interface, the most straightforward approach is to use an Interface Management profile.

  This can be achieved by:

  Configuring an Interface Management profile and enabling HTTPS access on it. This profile defines management services that are permitted on the interface, including HTTPS, which is required for XML API access.

  Applying this Interface Management profile to the desired Layer 3 sub-interface. This action enables HTTPS access (and thus XML API access) on the sub-interface, allowing devices on the connected network segment to communicate with

  the firewall for automation purposes.

  This solution allows for the secure extension of management capabilities to network segments without direct access to the dedicated management interface, facilitating automation and operational efficiency without necessitating changes to

  existing access configurations.

• Question 707:

  A network security engineer needs to ensure that virtual systems can communicate with one another within a Palo Alto Networks firewall. Separate virtual routers (VRs) are created for each virtual system.

  In addition to confirming security policies, which three configuration details should the engineer focus on to ensure communication between virtual systems? {Choose three.)

  A. External zones with the virtual systems added.
  B. Layer 3 zones for the virtual systems that need to communicate.
  C. Add a route with next hop set to none, and use the interface of the virtual systems that need to communicate.
  D. Add a route with next hop next-vr by using the VR configured in the virtual system.
  E. Ensure the virtual systems are visible to one another.
  A. External zones with the virtual systems added.
  D. Add a route with next hop next-vr by using the VR configured in the virtual system.
  E. Ensure the virtual systems are visible to one another.

  ---

  Explanation

  For virtual systems (vSys) on a Palo Alto Networks firewall to communicate with each other, especially when separate virtual routers (VRs) are used for each vSys, the configuration must facilitate proper routing and security policy enforcement. The key aspects to focus on include:

  A. External zones with the virtual systems added:

  External zones are special types of zones that are used to facilitate traffic flow between virtual systems within the same physical firewall. By adding virtual systems to an external zone, you enable them to communicate with each other,

  effectively bypassing the need for traffic to exit and re-enter the firewall.

  D. Add a route with next hop next-vr by using the VR configured in the virtual system:

  When using separate VRs for each vSys, it's essential to configure inter-VR routing. This is done by adding routes in each VR with the next hop set to 'next-vr', specifying the VR of the destination vSys. This setup enables traffic to be routed

  from one virtual system's VR to another, facilitating communication between them.

  E. Ensure the virtual systems are visible to one another:

  Visibility between virtual systems is a prerequisite for inter-vSys communication. This involves configuring the virtual systems in a way that they are aware of each other's existence. This is typically managed in the vSys settings, where you

  can specify which virtual systems can communicate with each other.

  By focusing on these configuration details, the network security engineer can ensure that the virtual systems can communicate effectively, maintaining the necessary isolation while allowing the required traffic flow.

• Question 708:

  An administrator has a PA-820 firewall with an active Threat Prevention subscription The administrator is considering adding a WildFire subscription. How does adding the WildFire subscription improve the security posture of the organization1?

  A. Protection against unknown malware can be provided in near real-time
  B. WildFire and Threat Prevention combine to provide the utmost security posture for the firewall
  C. After 24 hours WildFire signatures are included in the antivirus update
  D. WildFire and Threat Prevention combine to minimize the attack surface
  A. Protection against unknown malware can be provided in near real-time

  ---

  Explanation

• Question 709:

  What are three tasks that cannot be configured from Panorama by using a template stack? (Choose three)

  A. Change the firewall management IP address
  B. Configure a device block list
  C. Add administrator accounts
  D. Rename a vsys on a multi-vsys firewall
  E. Enable operational modes such as normal mode, multi-vsys mode, or FIPS-CC mode
  B. Configure a device block list
  D. Rename a vsys on a multi-vsys firewall
  E. Enable operational modes such as normal mode, multi-vsys mode, or FIPS-CC mode

  ---

  Explanation

  https://docs.paloaltonetworks.com/panorama/11-0/panorama-admin/manage-firewalls/manage-templates-and-template-stacks/template-capabilities-and-exceptions

• Question 710:

  A customer would like to support Apple Bonjour in their environment for ease of configuration.

  Which type of interface in needed on their PA-3200 Series firewall to enable Bonjour Reflector in a segmented network?

  A. Virtual Wire interface
  B. Layer 3 interface
  C. Layer 2 interface
  D. Loopback interface
  B. Layer 3 interface

  ---

  Explanation