Palo Alto Networks Palo Alto Networks Certifications PCNSE Questions & Answers

• Question 741:

  Which value in the Application column indicates UDP traffic that did not match an App-ID signature?

  A. not-applicable

  B. incomplete

  C. unknown-ip

  D. unknown-udp

  Correct Answer: D

  To safely enable applications you must classify all traffic, across all ports, all the time. With App-ID, the only applications that are typically classified as unknown traffic--tcp, udp or non-syn-tcp--in the ACC and the Traffic logs are commercially available applications that have not yet been added to App-ID, internal or custom applications on your network, or potential threats. https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-admin/app-id/use-application-objects- in-policy/create-a-custom-application

• Question 742:

  Which User-ID mapping method should be used in a high-security environment where all IP address-to-user mappings should always be explicitly known?

  A. PAN-OS integrated User-ID agent

  B. LDAP Server Profile configuration

  C. GlobalProtect

  D. Windows-based User-ID agent

  Correct Answer: C

  https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/user-id/user-id- concepts/user-mapping/globalprotect.html Because GlobalProtect users must authenticate to gain access to the network, the IP address-to-username mapping is explicitly known.

  Because GlobalProtect users must authenticate to gain access to the network, the IP address-to-username mapping is explicitly known. This is the best solution in sensitive environments where you must be certain of who a user is in order to allow access to an application or service. https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/user- id/user-id-concepts/user-mapping/globalprotect.html

  "On sensitive and high security networks, WMI probing increases the overall attack surface, and administrators are recommended to disable WMI probing and instead rely upon User-ID mappings obtained from more isolated and trusted sources, such as domain controllers. If you are using the User-ID Agent to parse AD security event logs, syslog messages, or the XML API to obtain User-ID mappings, then WMI probing should be disabled. Captive portal can be used as a fallback mechanism to re-authenticate users where security event log data may be stale." https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClVPCA0

• Question 743:

  Which rule type controls end user SSL traffic to external websites?

  A. SSL Outbound Proxyless Inspection

  B. SSL Forward Proxy

  C. SSL Inbound Inspection

  D. SSH Proxy

  Correct Answer: B

  The SSL Forward Proxy rule type is designed to control and inspect SSL traffic from internal users to external websites. When an internal user attempts to access an HTTPS site, the Palo Alto Networks firewall, acting as an SSL Forward Proxy, intercepts the SSL request. It then establishes an SSL connection with the requested website on behalf of the user. Simultaneously, the firewall establishes a separate SSL connection with the user. This setup allows the firewall to decrypt and inspect the traffic for threats and compliance with security policies before re-encrypting and forwarding the traffic to its destination.

  This process is transparent to the end user and ensures that potentially harmful content delivered over encrypted SSL connections can be identified and blocked. SSL Forward Proxy is a critical component of a comprehensive security strategy, allowing organizations to enforce security policies and protect against threats in encrypted traffic.

• Question 744:

  An administrator receives the following error message:

  "IKE phase-2 negotiation failed when processing Proxy ID. Received local id 192. 168.33.33/24 type IPv4 address protocol 0 port 0, received remote id. 172.16.33.33/24 type IPv4 address protocol 0 port 0."

  How should the administrator identify the root cause of this error message?

  A. Verify that the IP addresses can be pinged and that routing issues are not causing the connection failure.

  B. Check whether the VPN peer on one end is set up correctly using policy-based VPN.

  C. In the IKE Gateway configuration, verify that the IP address for each VPN peer is accurate.

  D. In the IPSec Crypto profile configuration, verify that PFS is either enabled on both VPN peers or disabled on both VPN peers.

  Correct Answer: B

  The VPN peer on one end is using policy-based VPN. You must configure a Proxy ID on the Palo Alto Networks firewall. https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/vpns/set-up-site-to-site-vpn/interpret-vpn-error-messages.html

• Question 745:

  In the screenshot above which two pieces ot information can be determined from the ACC configuration shown? (Choose two ) A. The Network Activity tab will display all applications, including FTP.

  

  B. Threats with a severity of "high" are always listed at the top of the Threat Name list

  C. Insecure-credentials, brute-force and protocol-anomaly are all a part of the vulnerability Threat Type

  D. The ACC has been filtered to only show the FTP application

  Correct Answer: CD

  https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/threat-prevention/threat-signatures

• Question 746:

  A network administrator wants to deploy GlobalProtect with pre-logon for Windows 10 endpoints and follow Palo Alto Networks best practices. To install the certificate and key for an endpoint, which three components are required? (Choose three.)

  A. server certificate

  B. local computer store

  C. private key

  D. self-signed certificate

  E. machine certificate

  Correct Answer: BDE

  https://docs.paloaltonetworks.com/globalprotect/9-0/globalprotect- admin/globalprotect-quick-configs/remote-access-vpn-with-pre-logon.html

• Question 747:

  Which two statements are true for the DNS Security service? (Choose two.)

  A. It eliminates the need for dynamic DNS updates

  B. It functions like PAN-DB and requires activation through the app portal

  C. It removes the 100K limit for DNS entries for the downloaded DNS updates

  D. It is automatically enabled and configured

  Correct Answer: AB

  https://docs.paloaltonetworks.com/dns-security.html

• Question 748:

  A security engineer needs firewall management access on a Inside interface.

  When three settings are required on an SSI/TVS Service Profile to provide secure Wet) Ui authentication? (Choose three.)

  A. Maximum TLS version

  B. Minimum TLS version

  C. Encryption Algorithm

  D. Certificate

  E. Authentication Algorithm

  Correct Answer: ABD

  https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/certificate-management/configure-an-ssltls-service-profile

• Question 749:

  Which statement is correct given the following message from the PanGPA log on the GlobalProtect app? Failed to connect to server at port:47 67

  A. The PanGPS process failed to connect to the PanGPA process on port 4767

  B. The GlobalProtect app failed to connect to the GlobalProtect Portal on port 4767

  C. The PanGPA process failed to connect to the PanGPS process on port 4767

  D. The GlobalProtect app failed to connect to the GlobalProtect Gateway on port 4767

  Correct Answer: C

  https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Clk6CAC

• Question 750:

  Which two firewall components enable you to configure SYN flood protection thresholds? (Choose two)

  A. Dos Protection policy

  B. QoS Profile

  C. Zone Protection Profile

  D. DoS Protection Profile

  Correct Answer: CD

  Flood Attack Protection Zone Protection Profiles protect against of five types of floods: SYN (TCP) UDP ICMP ICMPv6 Other IP