Palo Alto Networks Palo Alto Networks Certifications PCNSE Questions & Answers

• Question 751:

  When overriding a template configuration locally on a firewall, what should you consider?

  A. Only Panorama can revert the override

  B. Panorama will lose visibility into the overridden configuration

  C. Panorama will update the template with the overridden value

  D. The firewall template will show that it is out of sync within Panorama

  Correct Answer: B

  Based on my knowledge out-of-sync message appear on Panorama only was perform a commit to Panorama but not pushed to the NGFW. https://live.paloaltonetworks.com/t5/general-topics/reason-for-out-of-sync-message-in- panorama/tdp/328292

• Question 752:

  A user at an internal system queries the DNS server for their web server with a private IP of 10 250 241 131 in the. The DNS server returns an address of the web server's public address, 200.1.1.10.

  In order to reach the web server, which security rule and U-Turn NAT rule must be configured on the firewall?

  

  

  A. Option A

  B. Option B

  C. Option C

  D. Option D

  Correct Answer: A

• Question 753:

  Refer to the exhibit.

  

  Which certificate can be used as the Forward Trust certificate?

  A. Domain Sub-CA

  B. Domain-Root-Cert

  C. Certificate from Default Trusted Certificate Authorities

  D. Forward-Trust

  Correct Answer: A

• Question 754:

  An administrator wants to upgrade a firewall HA pair to PAN-OS 10.1 The firewalls are currently running PAN-OS 8.1.17. Which upgrade path maintains synchronization of the HA session (and prevents network outage)?

  A. Upgrade directly to the target major version

  B. Upgrade one major version at a time

  C. Upgrade the HA pair to a base image

  D. Upgrade two major versions at a time

  Correct Answer: B

  When you upgrade from one PAN-OS feature release version to a later feature release, you cannot skip the installation of any feature release versions in the path to your target release. In addition, the recommended upgrade path includes installing the latest maintenance release in each release version before you install the base image for the next feature release version. https://docs.paloaltonetworks.com/pan-os/10-1/pan-os- upgrade/upgrade-pan-os/upgrade-the-firewall-panos/determine-the-upgrade-path.html

• Question 755:

  Your company has to Active Directory domain controllers spread across multiple WAN links All users authenticate to Active Directory Each link has substantial network bandwidth to support all mission-critical applications. The firewalls management plane is highly utilized.

  Given this scenario which type of User-ID agent is considered a best practice by Palo Alto Networks?

  A. PAN-OS integrated agent

  B. Captive Portal

  C. Citrix terminal server agent with adequate data-plane resources

  D. Windows-based User-ID agent on a standalone server

  Correct Answer: D

• Question 756:

  An administrator is considering upgrading the Palo Alto Networks NGFW and central management Panorama version. What is considered best practice for this scenario?

  A. Perform the Panorama and firewall upgrades simultaneously

  B. Upgrade the firewall first wait at least 24 hours and then upgrade the Panorama version

  C. Upgrade Panorama to a version at or above the target firewall version

  D. Export the device state perform the update, and then import the device state

  Correct Answer: C

• Question 757:

  What are two characteristic types that can be defined for a variable? (Choose two )

  A. zone

  B. FQDN

  C. path group

  D. IP netmask

  Correct Answer: BD

  https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-web-interface- help/panorama-web-interface/panorama-templates/panorama-templates-template- variable.html

• Question 758:

  When setting up a security profile which three items can you use? (Choose three )

  A. Wildfire analysis

  B. anti-ransom ware

  C. antivirus

  D. URL filtering

  E. decryption profile

  Correct Answer: ACD

  https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-admin/policy/security- profiles

• Question 759:

  A security engineer needs to mitigate packet floods that occur on a set of servers behind the internet facing interface of the firewall. Which Security Profile should be applied to a policy to prevent these packet floods?

  A. URL Filtering profile

  B. Vulnerability Protection profile

  C. Data Filtering profile

  D. DoS Protection profile

  Correct Answer: D

• Question 760:

  An administrator has purchased WildFire subscriptions for 90 firewalls globally. What should the administrator consider with regards to the WildFire infrastructure?

  A. To comply with data privacy regulations, WildFire signatures and verdicts are not shared globally.

  B. Palo Alto Networks owns and maintains one global cloud and four WildFire regional clouds.

  C. Each WildFire cloud analyzes samples and generates malware signatures and verdicts independently of the other WildFire clouds.

  D. The WildFire Global Cloud only provides bare metal analysis.

  Correct Answer: C

  Each WildFire cloud--global (U.S.), regional, and private--analyzes samples and generates WildFire verdicts independently of the other WildFire clouds. With the exception of WildFire private cloud verdicts, WildFire verdicts are shared globally, enabling WildFire users to access a worldwide database of threat data. https://docs.paloaltonetworks.com/wildfire/10-1/wildfire-admin/wildfire-overview/wildfire-concepts/verdicts.html