Palo Alto Networks PCNSE Online Practice Questions and Exam Preparation

Palo Alto Networks PCNSE Online Questions & Answers

• Question 721:

  A company is upgrading its existing Palo Alto Networks firewall from version 7.0.1 to 7.0.4. Which three methods can the firewall administrator use to install PAN-OS 8.0.4 across the enterprise?( Choose three) A. Download PAN-OS 8.0.4 files from the support site and install them on each firewall after manually uploading.

  B. Download PAN-OS 8.0.4 to a USB drive and the firewall will automatically update after the USB drive is inserted in the firewall.

  C. Push the PAN-OS 8.0.4 updates from the support site to install on each firewall.

  D. Push the PAN-OS 8.0.4 update from one firewall to all of the other remaining after updating one firewall.

  E. Download and install PAN-OS 8.0.4 directly on each firewall.

  F. Download and push PAN-OS 8.0.4 from Panorama to each firewall.

  Correct Answer. ACF
  ACF

  ---

  Explanation

• Question 722:

  Which command can be used to validate a Captive Portal policy?

  A. eval captive-portal policy
  B. request cp-policy-eval
  C. test cp-policy-match
  D. debug cp-policy
  C. test cp-policy-match

  ---

  Explanation

• Question 723:

  Which two actions can the administrative role called "vsysadmin" perform? (Choose two)

  A. Configure resource limits for the NGFW system
  B. Commit changes made to the candidate configuration of the assigned vsys
  C. Create and edit Security policies and security profiles for only the assigned vsys
  D. Configure interfaces and subinterfaces that exist in the assigned vsys
  B. Commit changes made to the candidate configuration of the assigned vsys
  C. Create and edit Security policies and security profiles for only the assigned vsys

  ---

  Explanation

  The vsysadmin role in Palo Alto Networks firewalls is a virtual system (vsys)-specific administrative role with limited privileges. It can commit changes to the candidate configuration of the assigned vsys (Option B) and create/edit Security policies and profiles specific to that vsys (Option C). This role is designed for multi-tenant environments where administrators manage only their assigned virtual systems.

  PAN-OS 11.2 Administrator's Guide, "Admin Roles" section

  -Virtual System Administrator Role.

• Question 724:

  Starling with PAN-OS version 9.1, GlobalProtect logging information is now recorded in which firewall log?

  A. Configuration
  B. GlobalProtect
  C. Authentication
  D. System
  B. GlobalProtect

  ---

  Explanation

• Question 725:

  A standalone firewall with local objects and policies needs to be migrated into Panorama. What procedure should you use so Panorama is fully managing the firewall?

  A. Use the "import Panorama configuration snapshot" operation, then perform a device-group commit push with "include device and network templates"
  B. Use the "import device configuration to Panorama" operation, then "export or push device config bundle" to push the configuration
  C. Use the "import Panorama configuration snapshot" operation, then "export or push device config bundle" to push the configuration
  D. Use the "import device configuration to Panorama" operation, then perform a device-group commit push with "include device and network templates"
  B. Use the "import device configuration to Panorama" operation, then "export or push device config bundle" to push the configuration

  ---

  Explanation

  https://docs.paloaltonetworks.com/panorama/9-1/panorama-admin/manage-firewalls/transition-a-firewall-to-panorama-management/migrate-a-firewall-to-panorama-management.html

• Question 726:

  While troubleshooting an SSL Forward Proxy decryption issue which PAN-OS CLI command would you use to check the details of the end-entity certificate that is signed by the Forward Trust Certificate or Forward Untrust Certificate?

  A. show system setting ssl-decrypt certs
  B. show systea setting ssl-decrypt certificate-cache
  C. show systen setting ssl-decrypt certificate
  D. debug dataplane show ssl-decrypt ssl-stats
  A. show system setting ssl-decrypt certs

  ---

  Explanation

• Question 727:

  Which two methods can be used to mitigate resource exhaustion of an application server? (Choose two)

  A. Vulnerability Object
  B. DoS Protection Profile
  C. Data Filtering Profile
  D. Zone Protection Profile
  B. DoS Protection Profile
  D. Zone Protection Profile

  ---

  Explanation

• Question 728:

  A firewall engineer needs to update a company's Panorama-managed firewalls to the latest version of PAN-OS. Strict security requirements are blocking internet access to Panorama and to the firewalls. The PAN-OS images have previously been downloaded to a secure host on the network.

  Which path should the engineer follow to deploy the PAN-OS images to the firewalls?

  A. Upload the image to Panorama > Device Deployment > Software menu, and deploy it to the firewalls.
  B. Upload the image to Panorama > Device Deployment > Dynamic Updates menu, and deploy it to the firewalls.
  C. Upload the image to Panorama > Software menu, and deploy it to the firewalls.
  D. Upload the image to Panorama > Dynamic Updates menu, and deploy it to the firewalls.
  A. Upload the image to Panorama > Device Deployment > Software menu, and deploy it to the firewalls.

  ---

  Explanation

  In a situation where Panorama and its managed firewalls lack internet access, updating PAN-OS requires a manual upload of the downloaded PAN-OS images. The process involves:

  Upload the image to Panorama > Device Deployment > Software menu, and deploy it to the firewalls:

  The engineer first uploads the downloaded PAN-OS images to Panorama. This is done through the "Device Deployment" section, specifically under the "Software" menu. This area of Panorama's interface is designed for managing PAN-OS

  versions and software updates for the managed devices.

  Once the PAN-OS images are uploaded to Panorama, the engineer can then deploy these images to the firewalls directly from Panorama. This process allows for centralized management of software updates, ensuring that all firewalls can be

  updated to the latest PAN-OS version in a consistent and controlled manner, even without direct internet access.

  This method streamlines the update process for environments with strict security requirements, allowing for the efficient deployment of necessary PAN-OS updates to maintain security and functionality.

• Question 729:

  An administrator has left a firewall to use the data of port for all management service which there functions are performed by the data face? (Choose three.)

  A. NTP
  B. Antivirus
  C. Wildfire updates
  D. NAT
  E. File tracking
  A. NTP
  C. Wildfire updates
  D. NAT

  ---

  Explanation

• Question 730:

  An organization is interested in migrating from their existing web proxy architecture to the Web Proxy feature of their PAN-OS 11.0 firewalls. Currently. HTTP and SSL requests contain the c IP address of the web server and the client browser is redirected to the proxy

  Which PAN-OS proxy method should be configured to maintain this type of traffic flow?

  A. DNS proxy
  B. Explicit proxy
  C. SSL forward proxy
  D. Transparent proxy
  D. Transparent proxy

  ---

  Explanation

  A transparent proxy is a type of web proxy that intercepts and redirects HTTP and HTTPS requests without requiring any configuration on the client browser1. The firewall acts as a gateway between the client and the web server, and performs security checks on the traffic. A transparent proxy can be configured on PAN-OS 11.0 firewalls by performing the following steps1: Enable Web Proxy under Device > Setup > Services Select Transparent Proxy as the Proxy Type Configure a Service Route for Web Proxy Configure SSL/TLS Service Profile for Web Proxy Configure Security Policy Rules for Web Proxy Traffic By configuring a transparent proxy on PAN-OS 11.0 firewalls, an organization can migrate from their existing web proxy architecture without changing their network topology or client settings2. The firewall will maintain the same type of traffic flow as before, where HTTP and HTTPS requests contain the IP address of the web server and the client browser is redirected to the proxy1. Answer A is not correct because DNS proxy is a type of web proxy that intercepts DNS queries from clients and resolves them using an external DNS server3. This type of proxy does not redirect HTTP or HTTPS requests to the firewall.