Palo Alto Networks Palo Alto Networks Certifications PCNSE Questions & Answers

• Question 731:

  An engineer is planning an SSL decryption implementation.

  Which of the following statements is a best practice for SSL decryption?

  A. Obtain an enterprise CA-signed certificate for the Forward Trust certificate

  B. Obtain a certificate from a publicly trusted root CA for the Forward Trust certificate

  C. Use an enterprise CA-signed certificate for the Forward Untrust certificate

  D. Use the same Forward Trust certificate on all firewalls in the network

  Correct Answer: A

• Question 732:

  An existing NGFW customer requires direct interne! access offload locally at each site and iPSec connectivity to all branches over public internet. One requirement is mat no new SD- WAN hardware be introduced to the environment. What is the best solution for the customer?

  A. Configure a remote network on PAN-OS

  B. Upgrade to a PAN-OS SD-WAN subscription

  C. Deploy Prisma SD-WAN with Prisma Access

  D. Configure policy-based forwarding

  Correct Answer: B

• Question 733:

  A customer wants to spin their session load equally across two SD-WAN-enabled interfaces. Where would you configure this setting?

  A. Path Quality profile

  B. ECMP setting on virtual router

  C. Traffic Dtstnbution profile

  D. SD-WAN Interface profile

  Correct Answer: C

• Question 734:

  What best describes the HA Promotion Hold Time?

  A. the time that is recommended to avoid an HA failover due to the occasional flapping of neighboring devices

  B. the time that is recommended to avoid a failover when both firewalls experience the same link/path monitor failure simultaneously

  C. the time that the passive firewall will wait before taking over as the active firewall after communications with the HA peer have been lost

  D. the time that a passive firewall with a low device priority will wait before taking over as the active firewall if the firewall is operational again

  Correct Answer: C

• Question 735:

  When an in-band data port is set up to provide access to required services, what is required for an interface that is assigned to service routes?

  A. The interface must be used for traffic to the required services

  B. You must enable DoS and zone protection

  C. You must set the interface to Layer 2 Layer 3. or virtual wire

  D. You must use a static IP address

  Correct Answer: D

• Question 736:

  An engines must configure the Decryption Broker feature. To which router must the engineer assign the decryption forwarding interfaces that are used m the Decryption Broker security Chain?

  A. a virtual router that has no additional interfaces for passing data-plane traffic and no other configured routes than those used in for the security chain

  B. the virtual router that routes the traffic that the Decryption Broker security chain inspects

  C. a virtual router that is configured with at least one dynamic routing protocol and has at least one entry in the RIB

  D. the default virtual router (If there is no default virtual router the engineer must create one during setup)

  Correct Answer: B

  Decryption Broker is a feature that allows you to use a Palo Alto Networks firewall as a decryption broker for other security devices in your network1. It works by decrypting traffic on one interface and forwarding it to another interface where it can be inspected by other devices before being re-encrypted and sent to its destination2. The firewall acts as a transparent bridge between the two interfaces and does not change the source or destination IP addresses of the traffic2. To configure Decryption Broker, you need to assign decryption forwarding interfaces (DFIs) to the virtual router that routes the traffic that you want to inspect. The DFIs are used to forward decrypted traffic from one interface to another in a security chain3. A security chain is a set of devices that perform different security functions on the same traffic flow3. You can have multiple security chains for different types of traffic or different segments of your network3. The reason why you need to assign DFIs to the virtual router that routes the traffic is because Decryption Broker uses routing tables to determine which DFI belongs to which security chain and how to forward traffic between them2. If you assign DFIs to a different virtual router than the one that routes the traffic, Decryption Broker will not be able to find them or forward traffic correctly2.

• Question 737:

  When planning to configure SSL Froward Proxy on a PA 5260, a user asks how SSL decryption can be implemented using phased approach in alignment with Palo Alto Networks best practices.

  What should you recommend?

  A. Enable SSL decryption for known malicious source IP addresses

  B. Enable SSL decryption for source users and known malicious URL categories

  C. Enable SSL decryption for malicious source users

  D. Enable SSL decryption for known malicious destination IP addresses

  Correct Answer: B

• Question 738:

  To ensure that a Security policy has the highest priority, how should an administrator configure a Security policy in the device group hierarchy?

  A. Add the policy in the shared device group as a pre-rule

  B. Reference the targeted device's templates in the target device group

  C. Add the policy to the target device group and apply a master device to the device group

  D. Clone the security policy and add it to the other device groups

  Correct Answer: A

  https://docs.paloaltonetworks.com/panorama/9-0/panorama- admin/panorama-overview/centralized-firewall-configuration-and-update-management/device-groups/device-group-hierarchy.html

• Question 739:

  A firewall administrator requires an A/P HA pair to fail over more quickly due to critical business application uptime requirements.

  What is the correct setting?

  A. Change the HA timer profile to "user-defined" and manually set the timers.

  B. Change the HA timer profile to "fast".

  C. Change the HA timer profile to "aggressive" or customize the settings in advanced profile.

  D. Change the HA timer profile to "quick" and customize in advanced profile.

  Correct Answer: C

  Use the Recommended profile for typical failover timer settings and the Aggressive profile for faster failover timer settings. The Advanced profile allows you to customize the timer values to suit your network requirements. https:// docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/high-availability/ha- concepts/ha-timers.html

• Question 740:

  As a best practice, which URL category should you target first for SSL decryption*?

  A. Online Storage and Backup

  B. High Risk

  C. Health and Medicine

  D. Financial Services

  Correct Answer: B

  https://docs.paloaltonetworks.com/best-practices/10-0/decryption-best- practices/decryption-best-practices/plan-ssl-decryption-best-practice-deployment.html Phase in decryption. Plan to decrypt the riskiest traffic first (URL Categories most likely to harbor malicious traffic, such as gaming or high-risk)