Palo Alto Networks Palo Alto Networks Certifications PCNSE Questions & Answers

• Question 711:

  What are two common reasons to use a "No Decrypt" action to exclude traffic from SSL decryption? (Choose two.)

  A. the website matches a category that is not allowed for most users

  B. the website matches a high-risk category

  C. the web server requires mutual authentication

  D. the website matches a sensitive category

  Correct Answer: CD

  https://docs.paloaltonetworks.com/pan-os/10-1/pan-os- admin/decryption/decryption-exclusions/palo-alto-networks-predefined-decryption-exclusions.html The firewall provides a predefined SSL Decryption Exclusion list to exclude from decryption commonly used sites that break decryption because of technical reasons such as pinned certificates and mutual authentication.

• Question 712:

  When you configure an active/active high availability pair which two links can you use? (Choose two)

  A. HA2 backup

  B. HA3

  C. Console Backup

  D. HSCI-C

  Correct Answer: AB

• Question 713:

  A customer is replacing its legacy remote-access VPN solution Prisma Access has been selected as the replacement During onboarding, the following options and licenses were selected and enabled:

  

  The customer wants to forward to a Splunk SIEM the logs that are generated by users that are connected to Prisma Access for Mobile Users.

  Which two settings must the customer configure? (Choose two)

  A. Configure a log forwarding profile and select the Panorama/Cortex Data Lake checkbox Apply the Log Forwarding profile to all of the security policy rules in Mobile_User_Device_Group

  B. Configure Cortex Data Lake log forwarding and add the Splunk syslog server

  C. Configure a Log Forwarding profile, select the syslog checkbox and add the Splunk syslog server Apply the Log Forwarding profile to all of the security policy rules in the Mobiie_User_Device_Group

  D. Configure Panorama Collector group device log forwarding to send logs to the Splunk syslog server

  Correct Answer: BC

• Question 714:

  A network security engineer wants to prevent resource-consumption issues on the firewall.

  Which strategy is consistent with decryption best practices to ensure consistent performance?

  A. Use RSA in a Decryption profile tor higher-priority and higher-risk traffic, and use less processor-intensive decryption methods for lower-risk traffic

  B. Use PFS in a Decryption profile for higher-priority and higher-risk traffic, and use less processor-intensive decryption methods for tower-risk traffic

  C. Use Decryption profiles to downgrade processor-intensive ciphers to ciphers that are less processor-intensive

  D. Use Decryption profiles to drop traffic that uses processor-intensive ciphers

  Correct Answer: B

  https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/decryption/prepare-to-deploy-decryption/size-the-decryption-firewall-deployment

• Question 715:

  An enterprise has a large Palo Alto Networks footprint that includes onsite firewalls and Prisma Access for mobile users, which is managed by Panorama The enterprise already uses GlobalProtect with SAML authentication to obtain iP-touser mapping information.

  However information Security wants to use this information in Prisma Access for policy enforcement based on group mapping Information Security uses on-prermses Active Directory (AD) but is uncertain about what is needed for Prisma Access to learn groups from AD.

  How can portaes based on group mapping be learned and enforced in Prisma Access?

  A. Configure Prisma Access to learn group mapping via SAML assertion

  B. Assign a master device in Panorama through which Prisma Access learns groups

  C. Set up group mapping redistribution between an onsite Palo Alto Networks firewall and Prisma Access

  D. Create a group mapping configuration that references an LDAP profile that points to on- premises domain controllers

  Correct Answer: B

  Step 3: Allow Panorama to use group mappings in security policies by configuring one or more next-generation on-premises or VM-series firewalls as a Master Device. If you don't configure a Master Device with a Prisma Access User-ID deployment, use long-form distributed name (DN) entries instead. https://docs.paloaltonetworks.com/prisma/prisma-access/prisma-access-panorama- admin/configure-user-based-policies-with-prisma-access/configure-user-id-in-prismaaccess.html

• Question 716:

  When deploying PAN-OS SD-WAN, which routing protocol can you use to build a routing overlay?

  A. OSPFv3

  B. BGP

  C. OSPF

  D. RIP

  Correct Answer: C

• Question 717:

  What can you use with Global Protect to assign user-specific client certificates to each GlobalProtect user?

  A. SSL/TLS Service profile

  B. Certificate profile

  C. SCEP

  D. OCSP Responder

  Correct Answer: C

• Question 718:

  Which CLI command displays the physical media that are connected to ethernetl/8?

  A. > show system state filter-pretty sys.si.p8.stats

  B. > show interface ethernetl/8

  C. > show system state filter-pretty sys.sl.p8.phy

  D. > show system state filter-pretty sys.si.p8.med

  Correct Answer: C

  Example output:

  > show system state filter-pretty sys.s1.p1.phy

  sys.s1.p1.phy: {

  link-partner: { },

  media: CAT5,

  type: Ethernet,

  }

  https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Cld3CAC

• Question 719:

  Which of the following commands would you use to check the total number of the sessions that are currently going through SSL Decryption processing?

  A. show session all ssI-decrypt yes count yes

  B. show session filter ssl-decryption yes total-count yes

  C. show session all filter ssl-decrypt yes count yes

  D. show session all filter ssl-decryption yes total-count yes

  Correct Answer: C

• Question 720:

  An administrator needs to evaluate a recent policy change that was committed and pushed to a firewall device group. How should the administrator identify the configuration changes?

  A. review the configuration logs on the Monitor tab

  B. click Preview Changes under Push Scope

  C. use Test Policy Match to review the policies in Panorama

  D. context-switch to the affected firewall and use the configuration audit tool

  Correct Answer: A

  When an administrator needs to evaluate recent policy changes that were committed and pushed to a firewall device group in Panorama, the most direct approach is to use the "Preview Changes" feature.

  Click Preview Changes under Push Scope:

  The "Preview Changes" option is available under the "Push Scope" in Panorama. This feature allows administrators to see a detailed comparison of the changes that are about to be pushed to the managed firewalls or that have been recently

  pushed. It highlights the differences between the current configuration and the previous one, making it easier to identify exactly what changes were made, including modifications to policies, objects, and other settings.

  This is particularly useful for auditing and verifying that the intended changes match the actual changes being deployed, enhancing transparency and reducing the risk of unintended configuration modifications.

  This approach provides a clear and concise way to review configuration changes before and after they are applied, ensuring that policy modifications are intentional and accurately reflect the administrator's objectives.

  https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-web-interface-help/panorama-web-interface/panorama-commit-operations.html