Palo Alto Networks PCNSE Online Practice Questions and Exam Preparation

Palo Alto Networks PCNSE Online Questions & Answers

• Question 771:

  A distributed log collection deployment has dedicated log Collectors. A developer needs a device to send logs to Panorama instead of sending logs to the Collector Group.

  What should be done first?

  A. Remove the cable from the management interface, reload the log Collector and then re-connect that cable
  B. Contact Palo Alto Networks Support team to enter kernel mode commands to allow adjustments
  C. remove the device from the Collector Group
  D. Revert to a previous configuration
  C. remove the device from the Collector Group

  ---

  Explanation

• Question 772:

  An administrator has 750 firewalls The administrator's central-management Panorama instance deploys dynamic updates to the firewalls. The administrator notices that the dynamic updates from Panorama do not appear on some of the firewalls.

  If Panorama pushes the configuration of a dynamic update schedule to managed firewalls, but the configuration does not appear what is the root cause?

  A. Panorama has no connection to Palo Alto Networks update servers
  B. Panorama does not have valid licenses to push the dynamic updates
  C. No service route is configured on the firewalls to Palo Alto Networks update servers
  D. Locally-defined dynamic update settings take precedence over the settings that Panorama pushed
  D. Locally-defined dynamic update settings take precedence over the settings that Panorama pushed

  ---

  Explanation

  Locally defined dynamic updates setting on a managed Palo Alto Networks firewall take preference over the Panorama pushed setting. https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClKQCA0

• Question 773:

  Which User-ID method maps IP addresses to usernames for users connecting through a web proxy that has already authenticated the user?

  A. syslog listening
  B. Port Mapping
  C. Client Probing
  D. Server Monitoring
  A. syslog listening

  ---

  Explanation

  https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/user-id/map-ip-addresses-to-users/configure-user-id-to-monitor-syslog-senders-for-user-mapping/configure-the-pan-os-integrated-user-id-agent-as-a-syslog-listener#id91eb3abd43c1-4969-8a5f-df032685e277

• Question 774:

  Given the following configuration, which route is used for destination 10.10.0.4?

  

  A. Route 4
  B. Route 3
  C. Route 1
  D. Route 2
  D. Route 2

  ---

  Explanation

• Question 775:

  If a template stack is assigned to a device and the stack includes three templates with overlapping settings, which settings are published to the device when the template stack is pushed?

  A. The settings assigned to the template that is on top of the stack.
  B. The administrator will be promoted to choose the settings for that chosen firewall.
  C. All the settings configured in all templates.
  D. Depending on the firewall location, Panorama decides with settings to send.
  A. The settings assigned to the template that is on top of the stack.

  ---

  Explanation

  https://www.paloaltonetworks.com/documentation/80/panorama/panorama_adminguide/ma nage-firewalls/manage-templates-and-template-stacks/configure-a-template-stack

• Question 776:

  A firewall administrator is configuring an IPSec tunnel between Site A and Site

  B. The Site A firewall uses a DHCP assigned address on the outside interface of the firewall, and the Site B firewall uses a static IP address assigned to the

  outside interface of the firewall. However, the use of dynamic peering is not working.

  Refer to the two sets of configuration settings provided. Which two changes will allow the configurations to work? (Choose two.)

  Site A configuration:

  

  

  Site B configuration:

  

  

  A. Match IKE version on both firewalls.
  B. Configure Local Identification on Site B firewall.
  C. Enable NAT Traversal on Site B firewall.
  D. Disable passive mode on Site A firewall.
  A. Match IKE version on both firewalls.
  D. Disable passive mode on Site A firewall.

  ---

  Explanation

  The image shows an IKE Gateway configuration where Site B is set to IKEv1 only mode, and passive mode is not enabled. For dynamic peering to work when Site A is using a DHCP assigned address:

  Passive mode on Site A needs to be disabled. In passive mode, the firewall will not initiate the IKE negotiation and will only respond to negotiation requests from the peer. Since Site A has a dynamic IP, it must be able to initiate the connection to Site B, which has a static IP.

  Matching the IKE version between Site A and Site B is also necessary for successful IPSec tunnel establishment. Since Site B is set to IKEv1 only mode, Site A also needs to be configured to use IKEv1 to ensure that both sites are using the same version for the IKE negotiation process.

  NAT Traversal is used when there are NAT devices between the two endpoints, but there's no indication that this is the case here. Additionally, local identification on Site A is not necessarily related to the issue with dynamic peering not working.

• Question 777:

  An engineer manages a high availability network and requires fast failover of the routing protocols. The engineer decides to implement BFD. Which three dynamic routing protocols support BFD? (Choose three.)

  A. OSPF
  B. RIP
  C. BGP
  D. IGRP
  E. OSPFv3 virtual link
  A. OSPF
  B. RIP
  C. BGP

  ---

  Explanation

  https://docs.paloaltonetworks.com/pan-os/11-0/pan-os-networking-admin/bfd/bfd-overview/bfd-for-dynamic-routing-protocols

• Question 778:

  Refer to the exhibit.

  

  A web server in the DMZ is being mapped to a public address through DNAT. Which Security policy rule will allow traffic to flow to the web server?

  A. Untrust (any) to Untrust (10. 1.1. 100), web browsing ?Allow
  B. Untrust (any) to Untrust (1. 1. 1. 100), web browsing ?Allow
  C. Untrust (any) to DMZ (1. 1. 1. 100), web browsing ?Allow
  D. Untrust (any) to DMZ (10. 1. 1. 100), web browsing ?Allow
  C. Untrust (any) to DMZ (1. 1. 1. 100), web browsing ?Allow

  ---

  Explanation

  https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/networking/nat/nat-policy-rules/nat-policy-overview.html https://docs.paloaltonetworks.com/pan-os/8-0/pan-os-admin/networking/nat/nat-configuration-examples/destination-nat-exampleone-to-many-mapping

• Question 779:

  Which Panorama mode should be used so that all logs are sent to, and only stored in Cortex Data Lake?

  A. Legacy
  B. Log Collector
  C. Panorama
  D. Management Only
  D. Management Only

  ---

  Explanation

• Question 780:

  Which virtual router feature determines if a specific destination IP address is reachable?

  A. Heartbeat Monitoring
  B. Failover
  C. Path Monitoring
  D. Ping-Path
  C. Path Monitoring

  ---

  Explanation

  https://www.paloaltonetworks.com/documentation/71/pan-os/pan-os/policy/pbf

  https://docs.paloaltonetworks.com/pan-os/8-0/pan-os-admin/policy/policy-based-forwarding/pbf/path-monitoring-for-pbf