Palo Alto Networks Palo Alto Networks Certifications PCNSE Questions & Answers

• Question 721:

  You need to allow users to access the office-suite applications of their choice. How should you configure the firewall to allow access to any office-suite application?

  A. Create an Application Group and add Office 365, Evernote Google Docs and Libre Office

  B. Create an Application Group and add business-systems to it.

  C. Create an Application Filter and name it Office Programs, then filter it on the office programs subcategory.

  D. Create an Application Filter and name it Office Programs then filter on the business- systems category.

  Correct Answer: C

• Question 722:

  An administrator has a PA-820 firewall with an active Threat Prevention subscription The administrator is considering adding a WildFire subscription. How does adding the WildFire subscription improve the security posture of the organization1?

  A. Protection against unknown malware can be provided in near real-time

  B. WildFire and Threat Prevention combine to provide the utmost security posture for the firewall

  C. After 24 hours WildFire signatures are included in the antivirus update

  D. WildFire and Threat Prevention combine to minimize the attack surface

  Correct Answer: A

• Question 723:

  A standalone firewall with local objects and policies needs to be migrated into Panorama. What procedure should you use so Panorama is fully managing the firewall?

  A. Use the "import Panorama configuration snapshot" operation, then perform a device- group commit push with "include device and network templates"

  B. Use the "import device configuration to Panorama" operation, then "export or push device config bundle" to push the configuration

  C. Use the "import Panorama configuration snapshot" operation, then "export or push device config bundle" to push the configuration

  D. Use the "import device configuration to Panorama" operation, then perform a device- group commit push with "include device and network templates"

  Correct Answer: B

  https://docs.paloaltonetworks.com/panorama/9-1/panorama-admin/manage- firewalls/transition-a-firewall-to-panorama-management/migrate-a-firewall-to-panorama- management.html

• Question 724:

  Which Panorama objects restrict administrative access to specific device-groups?

  A. templates

  B. admin roles

  C. access domains

  D. authentication profiles

  Correct Answer: C

  Access domains control administrative access to specific Device Groups and templates, and also control the ability to switch context to the web interface of managed firewalls. https://docs.paloaltonetworks.com/panorama/10-1/panoramaadmin/panorama- overview/role-based-access-control/access-domains.html

• Question 725:

  In SSL Forward Proxy decryption, which two certificates can be used for certificate signing? (Choose two.)

  A. wildcard server certificate

  B. enterprise CA certificate

  C. client certificate

  D. server certificate

  E. self-signed CA certificate

  Correct Answer: BE

  https://docs.paloaltonetworks.com/pan-os/10-1/pan-os- admin/decryption/configure-ssl-forward-proxy.html

• Question 726:

  You are auditing the work of a co-worker and need to verify that they have matched the Palo Alto Networks Best Practices for Anti-Spyware Profiles. For Which three severity levels should single-packet captures be enabled to meet the Best Practice standard? (Choose three)

  A. High

  B. Medium

  C. Critical

  D. Informational

  E. Low

  Correct Answer: ABC

  The best practice Anti-Spyware profile retains the default Action to reset the connection when the firewall detects a medium, high, or critical severity threat, and enables single packet capture (PCAP) for those threats.

• Question 727:

  Which GlobalProtect gateway setting is required to enable split-tunneling by access route, destination domain, and application?

  A. No Direct Access to local networks

  B. Satellite mode

  C. Tunnel mode

  D. IPSec mode

  Correct Answer: C

  To enable split-tunneling by access route, destination domain, and application, you need to configure a split tunnel based on the domain and application on your GlobalProtect gateway. This allows you to specify which domains and applications are included or excluded from the VPN tunnel.

• Question 728:

  When configuring forward error correction (FEC) for PAN-OS SD-WAN, an administrator would turn on the feature inside which type of SD-WAN profile?

  A. Certificate profile

  B. Path Quality profile

  C. SD-WAN Interface profile

  D. Traffic Distribution profile

  Correct Answer: C

• Question 729:

  Using multiple templates in a stack to manage many firewalls provides which two advantages? (Choose two.)

  A. inherit address-objects from templates

  B. define a common standard template configuration for firewalls

  C. standardize server profiles and authentication configuration across all stacks

  D. standardize log-forwarding profiles for security polices across all stacks

  Correct Answer: BC

  Template stacks simplify management because they allow you to define a common base configuration for all devices attached to the template stack and they give you the ability to layer templates to create a combined configuration.

• Question 730:

  An internal system is not functioning. The firewall administrator has determined that the incorrect egress interface is being used. After looking at the configuration, the administrator believes that the firewall is not using a static route. What are two reasons why the firewall might not use a static route? (Choose two.)

  A. no install on the route

  B. duplicate static route

  C. path monitoring on the static route

  D. disabling of the static route

  Correct Answer: AC

  Reference: https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-admin/networking/static- routes/static-route-removal-based-on-path-monitoring.html https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-admin/networking/static- routes/configure-a-static-route.html