Palo Alto Networks PCNSE Online Practice Questions and Exam Preparation

Palo Alto Networks PCNSE Online Questions & Answers

• Question 711:

  Refer to Exhibit:

  

  A firewall has three PDF rules and a default route with a next hop of 172.29.19.1 that is configured in the default VR. A user named XX-bes a PC with a 192.168.101.10 IP address.

  He makes an HTTPS connection to 172.16.10.29.

  What is the next hop IP address for the HTTPS traffic from Wills PC.

  A. 172.20.30.1
  B. 172.20.20.1
  C. 172.20.10.1
  D. 172.20.40.1
  B. 172.20.20.1

  ---

  Explanation

• Question 712:

  In the screenshot above which two pieces ot information can be determined from the ACC configuration shown? (Choose two ) A. The Network Activity tab will display all applications, including FTP.

  

  B. Threats with a severity of "high" are always listed at the top of the Threat Name list

  C. Insecure-credentials, brute-force and protocol-anomaly are all a part of the vulnerability Threat Type

  D. The ACC has been filtered to only show the FTP application

  Correct Answer. CD
  CD

  ---

  Explanation

  https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/threat-prevention/threat-signatures

• Question 713:

  An administrator connected a new fiber cable and transceiver to interface Ethernetl/l on a Palo Alto Networks firewall. However, the link does not seem to be coming up.

  If an administrator were to troubleshoot, how would they confirm the transceiver type, tx-power, rx-power, vendor name, and part number via the CLI?

  A. show system state filter sw.dev.interface.config
  B. show chassis status slot s1
  C. show system state filter-pretty sys.s1.*
  D. show system state filter ethernet1/1
  C. show system state filter-pretty sys.s1.*

  ---

  Explanation

  The correct syntax should be show system state filter-pretty sys.s1.p1.phy, where s is slot 1, p is port one = ethernet1/1

• Question 714:

  A company wants to install a PA-3060 firewall between two core switches on a VLAN trunk link. They need to assign each VLAN to its own zone and to assign untagged (native) traffic to its own zone which options differentiates multiple VLAN into separate zones?

  A. Create V-Wire objects with two V-Wire interfaces and define a range of "0-4096 in the "Tag Allowed" field of the V-Wire object.
  B. Create V-Wire objects with two V-Wire subinterfaces and assign only a single VLAN ID to the Tag Allowed" field of the V-Wire object. Repeat for every additional VLAN and use a VLAN ID of 0 for untagged traffic. Assign each interface/sub interface to a unique zone.
  C. Create Layer 3 subinterfaces that are each assigned to a single VLAN ID and a common virtual router. The physical Layer 3 interface would handle untagged traffic. Assign each interface/subinterface tA. unique zone. Do not assign any interface an IP address.
  D. Create VLAN objects for each VLAN and assign VLAN interfaces matching each VLAN ID. Repeat for every additional VLAN and use a VLAN ID of 0 for untagged traffic. Assign each interface/sub interface to a unique zone.
  B. Create V-Wire objects with two V-Wire subinterfaces and assign only a single VLAN ID to the Tag Allowed" field of the V-Wire object. Repeat for every additional VLAN and use a VLAN ID of 0 for untagged traffic. Assign each interface/sub interface to a unique zone.

  ---

  Explanation

  https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-admin/networking/configure-interfaces/virtual-wire-interfaces/vlan-tagged-traffic Virtual wire interfaces by default allow all untagged traffic. You can, however, use a virtual wire to connect two interfaces and configure either interface to block or allow traffic based on the virtual LAN (VLAN) tags. VLAN tag 0 indicates untagged traffic.You can also create multiple subinterfaces, add them into different zones, and then classify traffic according to a VLAN tag or a combination of a VLAN tag with IP classifiers (address, range, or subnet) to apply granular policy control for specific VLAN tags or for VLAN tags from a specific source IP address, range, or subnet.

• Question 715:

  The firewall determines if a packet is the first packet of a new session or if a packet is part of an existing session using which kind of match?

  A. 6-tuple match: Source IP Address, Destination IP Address, Source port, Destination Port, Protocol, and Source Security Zone
  B. 5-tuple match: Source IP Address, Destination IP Address, Source port, Destination Port, Protocol
  C. 7-tuple match: Source IP Address, Destination IP Address, Source port, Destination Port, Source User, URL Category, and Source Security Zone
  D. 9-tuple match: Source IP Address, Destination IP Address, Source port, Destination Port, Source User, Source Security Zone, Destination Security Zone, Application, and URL Category
  A. 6-tuple match: Source IP Address, Destination IP Address, Source port, Destination Port, Protocol, and Source Security Zone

  ---

  Explanation

  https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClVECA0 On a Palo Alto Networks firewall, a session is defined by two uni-directional flows each uniquely identified by a 6-tuple key: source-address, destination-address, source-port, destination-port, protocol, and security-zone.

• Question 716:

  Which configuration is backed up using the Scheduled Config Export feature in Panorama?

  A. Panorama running configuration
  B. Panorama candidate configuration
  C. Panorama candidate configuration and candidate configuration of all managed devices
  D. Panorama running configuration and running configuration of all managed devices
  D. Panorama running configuration and running configuration of all managed devices

  ---

  Explanation

• Question 717:

  The vulnerability protection profile of an on-premises Palo Alto Networks firewall is triggering on a common Threat ID, and it has been determined to be a false positive. The issue causes an outage of a critical service. When the vulnerability protection profile is opened to add the exception, the Threat ID is missing. Which action will most efficiently find and implement the exception?

  A. Review high-severity system logs to identify why the threat is missing in "Vulnerability Profile Exceptions"
  B. Select "Show all signatures" within the vulnerability protection profile under "Exceptions"
  C. Review traffic logs to add the exception from there
  D. Open a support case
  B. Select "Show all signatures" within the vulnerability protection profile under "Exceptions"

  ---

  Explanation

  When a Threat ID isn't visible in the Vulnerability Protection profile's Exceptions tab, selecting "Show all signatures" (Option B) reveals all available threat signatures, including those not recently triggered, allowing the administrator to add an

  exception efficiently. This is the fastest way to resolve false positives without external assistance.

  PAN-OS 11.2 Administrator's Guide, "Security Profiles" section -Vulnerability Protection Exceptions.

• Question 718:

  How does an administrator schedule an Applications and Threats dynamic update while delaying installation of the update for a certain amount of time?

  A. Configure the option for "Threshold".
  B. Disable automatic updates during weekdays.
  C. Automatically "download only" and then install Applications and Threats later, after the administrator approves the update.
  D. Automatically "download and install" but with the "disable new applications" option used.
  A. Configure the option for "Threshold".

  ---

  Explanation

  For Antivirus and Applications and Threats updates, you have the option to set a minimum Threshold of time that a content update must be available before the firewall installs it. Very rarely, there can be an error in a content update and this threshold ensures that the firewall only downloads content releases that have been available and functioning in customer environments for the specified amount of time. https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-web-interface-help/device/device-dynamic-updates

  https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-web-interface-help/device/device-dynamic-updates.html

• Question 719:

  Which administrative authentication method supports authorization by an external service?

  A. Certificates
  B. LDAP
  C. RADIUS
  D. SSH keys
  C. RADIUS

  ---

  Explanation

  https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/firewall-administration/manage-firewall-administrators/administrative-authentication

• Question 720:

  A company needs to preconfigure firewalls to be sent to remote sites with the least amount of reconfiguration. Once deployed, each firewall must establish secure tunnels back to multiple regional data centers to include the future regional data centers.

  Which VPN configuration would adapt to changes when deployed to the future site?

  A. Preconfigured GlobalProtect satellite
  B. Preconfigured GlobalProtect client
  C. Preconfigured IPsec tunnels
  D. Preconfigured PPTP Tunnels
  A. Preconfigured GlobalProtect satellite

  ---

  Explanation

  https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/large-scale-vpn-lsvpn/configure-the-globalprotect-portal-for-lsvpn/define-the-satellite-configurations.html