Palo Alto Networks Palo Alto Networks Certifications PCNSE Questions & Answers

• Question 761:

  Which GlobalProtect component must be configured to enable Clientless VPN?

  A. GlobalProtect satellite

  B. GlobalProtect app

  C. GlobalProtect portal

  D. GlobalProtect gateway

  Correct Answer: C

  Creating the GlobalProtect portal is as simple as letting it know if you have accessed it already. A new gateway for accessing the GlobalProtect portal will appear. Client authentication can be used with an existing one. https://www.nstec.com/ how-to-configure-clientless-vpn-in-palo-alto/#5

• Question 762:

  The manager of the network security team has asked you to help configure the company's Security Profiles according to Palo Alto Networks best practice As part of that effort, the manager has assigned you the Vulnerability Protection profile for the internet gateway firewall.

  Which action and packet-capture setting for items of high severity and critical severity best matches Palo Alto Networks best practice'?

  A. action 'reset-both' and packet capture 'extended-capture'

  B. action 'default' and packet capture 'single-packet'

  C. action 'reset-both' and packet capture 'single-packet'

  D. action 'reset-server' and packet capture 'disable'

  Correct Answer: C

  https://docs.paloaltonetworks.com/best-practices/10-2/internet-gateway-best- practices/best-practice-internet-gateway-security-policy/create-best-practice-security-profiles

  "Enable extended-capture for critical, high, and medium severity events and single-packet capture for low severity events. " https://docs.paloaltonetworks.com/pan-os/9-1/pan-os- web-interface-help/objects/objects-security-profilesvulnerability-protection

• Question 763:

  What are three types of Decryption Policy rules? (Choose three.)

  A. SSL Inbound Inspection

  B. SSH Proxy

  C. SSL Forward Proxy

  D. Decryption Broker

  E. Decryption Mirror

  Correct Answer: ABC

  https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-admin/decryption/define-traffic-to- decrypt/create-a-decryption-policy-rule

• Question 764:

  An administrator is building Security rules within a device group to block traffic to and from malicious locations. How should those rules be configured to ensure that they are evaluated with a high priority?

  A. Create the appropriate rules with a Block action and apply them at the top of the Default Rules

  B. Create the appropriate rules with a Block action and apply them at the top of the Security Post-Rules.

  C. Create the appropriate rules with a Block action and apply them at the top of the local firewall Security rules.

  D. Create the appropriate rules with a Block action and apply them at the top of the Security Pre-Rules

  Correct Answer: D

  In Palo Alto Networks firewalls, the order of rule evaluation is critical for traffic enforcement. To ensure high priority evaluation, rules should be configured at the top of the rulebase so they are matched before others. The Security Pre-Rules are designed for shared policies across multiple device groups in Panorama, and by placing the block action rules at the top of the Pre-Rules, it guarantees that these rules are evaluated first, before any device-specific or post-rules.For verification, please refer to the Palo Alto Networks "PAN-OS?Administrator's Guide" or the official configuration documentation for Panorama and device group rules.

• Question 765:

  A variable name must start with which symbol?

  A. $

  B. and

  C. !

  D. #

  Correct Answer: A

  https://docs.paloaltonetworks.com/panorama/8-1/panorama-admin/manage- firewalls/manage-templates-and-template-stacks/configure-template-or-template-stack- variables.html

• Question 766:

  The following objects and policies are defined in a device group hierarchy A. Option A

  

  

  B. Option B

  C. Option C

  D. Option D

  Correct Answer: A

• Question 767:

  While troubleshooting an SSL Forward Proxy decryption issue which PAN-OS CLI command would you use to check the details of the end-entity certificate that is signed by the Forward Trust Certificate or Forward Untrust Certificate?

  A. show system setting ssl-decrypt certs

  B. show systea setting ssl-decrypt certificate-cache

  C. show systen setting ssl-decrypt certificate

  D. debug dataplane show ssl-decrypt ssl-stats

  Correct Answer: A

• Question 768:

  A company wants to use their Active Directory groups to simplify their Security policy creation from Panorama.

  Which configuration is necessary to retrieve groups from Panorama?

  A. Configure an LDAP Server profile and enable the User-ID service on the management interface.

  B. Configure a group mapping profile to retrieve the groups in the target template.

  C. Configure a Data Redistribution Agent to receive IP User Mappings from User-ID agents.

  D. Configure a master device within the device groups.

  Correct Answer: D

  https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClFQCA0

• Question 769:

  How can packet butter protection be configured?

  A. at me device level (globally to protect firewall resources and ingress zones, but not at the zone level

  B. at the device level (globally) and it enabled globally, at the zone level

  C. at the interlace level to protect firewall resources

  D. at zone level to protect firewall resources and ingress zones but not at the device level

  Correct Answer: B

• Question 770:

  Which type of interface does a firewall use to forward decrypted traffic to a security chain for inspection?

  A. Layer 2

  B. Tap

  C. Layer 3

  D. Decryption Mirror

  Correct Answer: C

  https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-networking- admin/network-packet-broker/configure-routed-layer-3-security-chains Configure security chain devices with Layer 3 interfaces to connect to the security chain network. These Layer 3 interfaces must have an assigned IP address and subnet mask. https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/decryption/decryption- broker/security-chain-layer-3-guidelines.html