Palo Alto Networks PCNSE Online Practice Questions and Exam Preparation

Palo Alto Networks PCNSE Online Questions & Answers

• Question 761:

  An engineer is tasked with deploying SSL Forward Proxy decryption for their organization. What should they review with their leadership before implementation?

  A. Browser-supported cipher documentation
  B. Cipher documentation supported by the endpoint operating system
  C. URL risk-based category distinctions
  D. Legal compliance regulations and acceptable usage policies
  D. Legal compliance regulations and acceptable usage policies

  ---

  Explanation

  The engineer should review the legal compliance regulations and acceptable usage policies with their leadership before implementing SSL Forward Proxy decryption for their organization. SSL Forward Proxy decryption allows the firewall to decrypt and inspect the traffic from internal users to external servers. This can raise privacy and legal concerns for the users and the organization. Therefore, the engineer should ensure that the leadership is aware of the implications and benefits of SSL Forward Proxy decryption and that they have a clear policy for informing and obtaining consent from the users. Option A is incorrect because browser-supported cipher documentation is not relevant for SSL Forward Proxy decryption. The firewall uses its own cipher suite to negotiate encryption with the external server, regardless of the browser settings. Option B is incorrect because cipher documentation supported by the endpoint operating system is not relevant for SSL Forward Proxy decryption. The firewall uses its own cipher suite to negotiate encryption with the external server, regardless of the endpoint operating system. Option C is incorrect because URL risk-based category distinctions are not relevant for SSL Forward Proxy decryption. The firewall can decrypt and inspect traffic based on any URL category, not just risk-based ones.

• Question 762:

  When creating a Policy-Based Forwarding (PBF) policy, which two components can be used? (Choose two.)

  A. Schedule
  B. Source Device
  C. Custom Application
  D. Source Interface
  A. Schedule
  D. Source Interface

  ---

  Explanation

• Question 763:

  An administrator needs to upgrade an NGFW to the most current version of PAN-OS?software. The following is occurring:

  Firewall has Internet connectivity through e1/1. Default security rules and security rules allowing all SSL and web-browsing traffic to and from any zone.

  Service route is configured, sourcing update traffic from e1/1. A communication error appears in the System logs when updates are performed.

  Download does not complete.

  What must be configured to enable the firewall to download the current version of PAN-OS software?

  A. DNS settings for the firewall to use for resolution
  B. scheduler for timed downloads of PAN-OS software
  C. static route pointing application PaloAlto-updates to the update servers
  D. Security policy rule allowing PaloAlto-updates as the application
  D. Security policy rule allowing PaloAlto-updates as the application

  ---

  Explanation

• Question 764:

  A firewall engineer at a company is researching the Device Telemetry feature of PAN-OS. Which two aspects of the feature require further action for the company to remain compliant with local laws regarding privacy and data storage? (Choose two.)

  A. Telemetry feature is automatically enabled during PAN-OS installation.
  B. Telemetry data is uploaded into Strata Logging Service.
  C. Telemetry feature is using Traffic logs and packet captures to collect data.
  D. Telemetry data is shared in real time with Palo Alto Networks.
  A. Telemetry feature is automatically enabled during PAN-OS installation.
  C. Telemetry feature is using Traffic logs and packet captures to collect data.

  ---

  Explanation

  To address the question about the Device Telemetry feature in PAN-OS and its compliance with privacy and data storage laws, let's examine the details thoroughly.

  Understanding Device Telemetry in PAN-OS

  Device Telemetry is a feature in Palo Alto Networks' PAN-OS that collects data from the firewall to provide insights for:

  Product usage trends.

  Threat analysis.

  Operational optimizations.

  Telemetry may include:

  Configuration data.

  Threat logs.

  Performance metrics.

  However, specific aspects of this feature require attention to ensure compliance with local privacy laws.

  Explanation of Options

  A. Telemetry feature is automatically enabled during PAN-OS installation Why It Requires Action:

  B. Telemetry data is uploaded into Strata Logging Service Why It Does Not Require Immediate Action:

  C. Telemetry feature is using Traffic logs and packet captures to collect data Why It Requires Action:

  D. Telemetry data is shared in real time with Palo Alto Networks Why It Does Not Require Immediate Action:

  Key Objectives in PCNSA and PCNSE Study Guides

  PCNSA Study Guide:

  Domain 1: Device Management:

  Domain 4: Securing Traffic:

  PCNSE Study Guide:

  Domain 2: Logging and Reporting:

  Domain 5: Security Operations:

  Actions to Ensure Compliance

  Review Privacy Regulations:

  Disable Default Telemetry:

  Customize Data Collection:

  Educate Administrators:

  PAN-OS 11.0 Documentation References

  Device Telemetry Overview:PAN-OS 11.0 Admin Guide -Device Telemetry Telemetry Configuration Settings:PAN-OS 11.0 Admin Guide -Telemetry Configuration Logging and Privacy Compliance:PAN-OS Logging Configuration

• Question 765:

  Which two virtualization platforms officially support the deployment of Palo Alto Networks VM-Series firewalls? (Choose two.)

  A. Red Hat Enterprise Virtualization (RHEV)
  B. Kernel Virtualization Module (KVM)
  C. Boot Strap Virtualization Module (BSVM)
  D. Microsoft Hyper-V
  B. Kernel Virtualization Module (KVM)
  D. Microsoft Hyper-V

  ---

  Explanation

  https://www.paloaltonetworks.com/products/secure-the-network/virtualized-next-generation-firewall/vm-seriesdocs.paloaltonetworks.com/vm-series/8-0/vm-series-deployment/about-the-vm-series-firewall/vm-series-deployments

• Question 766:

  A network engineer troubleshoots a VPN Phase 2 mismatch and decides that PFS (Perfect Forward Secrecy) needs to be enabled.

  What action should the engineer take?

  A. Add an authentication algorithm in the IPSec Crypto profile.
  B. Enable PFS under the IPSec Tunnel advanced options.
  C. Select the appropriate DH Group under the IPSec Crypto profile.
  D. Enable PFS under the IKE gateway advanced options
  C. Select the appropriate DH Group under the IPSec Crypto profile.

  ---

  Explanation

  PFS (Perfect Forward Secrecy) is a feature that ensures that the encryption keys used for each IPSec session are not derived from previous keys. This provides more security in case one key is compromised. To enable PFS, the administrator needs to select the appropriate DH (Diffie-Hellman) Group under the IPSec Crypto profile that is applied to the IPSec tunnel. The DH Group determines the strength of the key exchange and should match on both ends of the tunnel1. The other options do not enable PFS. The authentication algorithm in the IPSec Crypto profile is used to verify the integrity of the IPSec packets. The PFS option under the IPSec Tunnel advanced options or the IKE gateway advanced options does not exist in the WebUI.

  References: https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/vpn/site-to-site-vpn/configure-the-ipsec-crypto-profile

• Question 767:

  Which statement accurately describes how web proxy is run on a firewall with multiple virtual systems?

  A. It can run on a single virtual system and multiple virtual systems.
  B. It can run on multiple virtual systems without issue.
  C. It can run only on a single virtual system.
  D. It can run only on a virtual system with an alias named "web proxy.
  A. It can run on a single virtual system and multiple virtual systems.

  ---

  Explanation

• Question 768:

  In SSL Forward Proxy decryption, which two certificates can be used for certificate signing? (Choose two.)

  A. wildcard server certificate
  B. enterprise CA certificate
  C. client certificate
  D. server certificate
  E. self-signed CA certificate
  B. enterprise CA certificate
  E. self-signed CA certificate

  ---

  Explanation

  https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/decryption/configure-ssl-forward-proxy.html

• Question 769:

  Only two Trust to Untrust allow rules have been created in the Security policy

  Rule1 allows google-base

  Rule2 allows youtube-base

  The youtube-base App-ID depends on google-base to function. The google-base App-ID implicitly uses SSL and web-browsing. When user try to accesss https://www.youtube.com in a web browser, they get an error indecating that the server cannot be found.

  Which action will allow youtube.com display in the browser correctly?

  A. Add SSL App-ID to Rule1
  B. Create an additional Trust to Untrust Rule, add the web-browsing, and SSL App-ID's to it
  C. Add the DNS App-ID to Rule2
  D. Add the Web-browsing App-ID to Rule2
  C. Add the DNS App-ID to Rule2

  ---

  Explanation

• Question 770:

  An administrator allocates bandwidth to a Prisma Access Remote Networks compute location with three remote networks. What is the minimum amount of bandwidth the administrator could configure at the compute location?

  A. 90Mbps
  B. 300 Mbps
  C. 75Mbps
  D. 50Mbps
  D. 50Mbps

  ---

  Explanation

  The number you specify for the bandwidth applies to both the egress and ingress traffic for the remote network connection. If you specify a bandwidth of 50 Mbps, Prisma Access provides you with a remote network connection with 50 Mbps of bandwidth on ingress and 50 Mbps on egress. Your bandwidth speeds can go up to 10% over the specified amount without traffic being dropped; for a 50 Mbps connection, the maximum bandwidth allocation is 55 Mbps on ingress and 55 Mbps on egress (50 Mbps plus 10% overage allocation). https://docs.paloaltonetworks.com/prisma/prisma-access/prisma-access-panorama-admin/prisma-access-for-networks/how-to-calculate-network-bandwidth