Palo Alto Networks Palo Alto Networks Certifications PCNSE Questions & Answers

• Question 781:

  Cortex XDR notifies an administrator about grayware on the endpoints.

  There are no entnes about grayware in any of the logs of the corresponding firewall.

  Which setting can the administrator configure on the firewall to log grayware verdicts?

  A. within the log settings option in the Device tab

  B. within the log forwarding profile attached to the Security policy rule

  C. in WildFire General Settings, select "Report Grayware Files"

  D. in Threat General Settings^ select "Report Grayware Files"

  Correct Answer: C

• Question 782:

  SSL Forward Proxy decryption is configured but the firewall uses Untrusted-CA to sign the website https //www important-website com certificate End-users are receiving me "security certificate is not trusted is warning Without SSL decryption the web browser shows that the website certificate is trusted and signed by a well-known certificate chain Well-Known- lntermediate and Well-Known-Root-CA.

  The network security administrator who represents the customer requires the following two behaviors when SSL Forward Proxy is enabled:

  1.

  End-users must not get the warning for the https://www.very-important-website.com website.

  2.

  End-users should get the warning for any other untrusted website

  Which approach meets the two customer requirements?

  A. Navigate to Device > Certificate Management > Certificates > Device Certificates import Well-Known-lntermediate-CA and Well-Known-Root-CA select the Trusted Root CA checkbox and commit the configuration

  B. Install the Well-Known-lntermediate-CA and Well-Known-Root-CA certificates on all end-user systems m the user and local computer stores

  C. Navigate to Device > Certificate Management - Certificates s Default Trusted Certificate Authorities import Well-Known-intermediate-CA and Well-Known-Root-CA select the Trusted Root CA check box and commit the configuration

  D. Clear the Forward Untrust Certificate check box on the Untrusted-CA certificate and commit the configuration

  Correct Answer: C

• Question 783:

  Given the following configuration, which route is used for destination 10.10.0.4?

  

  A. Route 4

  B. Route 3

  C. Route 1

  D. Route 2

  Correct Answer: D

• Question 784:

  An engineer must configure a new SSL decryption deployment

  Which profile or certificate is required before any traffic that matches an SSL decryption rule is decrypted?

  A. There must be a certificate with both the Forward Trust option and Forward Untrust option selected

  B. A Decryption profile must be attached to the Decryption policy that the traffic matches

  C. A Decryption profile must be attached to the Security policy that the traffic matches

  D. There must be a certificate with only the Forward Trust option selected

  Correct Answer: D

  A certificate with only the Forward Trust option selected is required for SSL Forward Proxy decryption, which is the most common type of SSL decryption deployment. A certificate with both the Forward Trust and Forward Untrust options

  selected is required for SSL Inbound Inspection decryption, which is less common. A Decryption profile is not required before any traffic that matches an SSL decryption rule is decrypted, but it is recommended to apply one to control how the

  firewall handles traffic that cannot be decrypted.

  References:

  https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/threat-prevention/decryption/decryption-concepts/ssl-forward-proxy

  https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/threat-prevention/decryption/decryption-concepts/ssl-inbound-inspection https://docs.paloaltonetworks.com/best-practices/10-1/decryption-best-practices/decryption-best-practices/

  deploy-ssl-decryption-using-best-practices

• Question 785:

  Refer to the exhibit.

  

  An administrator cannot see any Traffic logs from the Palo Alto Networks NGFW in Panorama reports. The configuration problem seems to be on the firewall. Which settings, if configured incorrectly, most likely would stop only Traffic logs from being sent from the firewall to Panorama?

  

  

  A. Option A

  B. Option B

  C. Option C

  D. Option D

  Correct Answer: B

• Question 786:

  In an HA failover scenario what occurs when sessions match an SSL Forward Proxy Decryption policy?

  A. HA Sync does not occur the existing session is transferred to the active firewall.

  B. HA Sync does not occur the firewall drops the session.

  C. HA Sync occurs the session is sent to testpath

  D. HA Sync occurs the firewall allows the session Put does not decrypt the session.

  Correct Answer: D

• Question 787:

  What are three reasons for excluding a site from SSL decryption? (Choose three.)

  A. the website is not present in English

  B. unsupported ciphers

  C. certificate pinning

  D. unsupported browser version

  E. mutual authentication

  Correct Answer: BCE

  Reasons that sites break decryption technically include pinned certificates, client authentication, incomplete certificate chains, and unsupported ciphers. https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/decryption/decryptionexclusions/exclude-a-server-from-decryption.html

• Question 788:

  An administrator analyzes the following portion of a VPN system log and notices the following issue

  "Received local id 10 10 1 4/24 type IPv4 address protocol 0 port 0, received remote id 10.1.10.4/24 type IPv4 address protocol 0 port 0."

  What is the cause of the issue?

  A. IPSec crypto profile mismatch

  B. IPSec protocol mismatch

  C. mismatched Proxy-IDs

  D. bad local and peer identification IP addresses in the IKE gateway

  Correct Answer: C

• Question 789:

  A network security engineer must implement Quality of Service policies to ensure specific levels of delivery guarantees for various applications in the environment They want to ensure that they know as much as they can about QoS before deploying.

  Which statement about the QoS feature is correct?

  A. QoS is only supported on firewalls that have a single virtual system configured

  B. QoS can be used in conjunction with SSL decryption

  C. QoS is only supported on hardware firewalls

  D. QoS can be used on firewalls with multiple virtual systems configured

  Correct Answer: D

• Question 790:

  What happens when an A P firewall cluster synchronies IPsec tunnel security associations (SAs)?

  A. Phase 2 SAs are synchronized over HA2 finks

  B. Phase 1 and Phase 2 SAs are synchronized over HA2 links

  C. Phase 1 SAs are synchronized over HA1 links

  D. Phase 1 and Phase 2 SAs are synchronized over HA3 links

  Correct Answer: A

  From the Palo Alto documentation below, "when a VPN is terminated on a Palo Alto firewall HA pair, not all IPSEC related information is synchronized between the firewalls... This is an expected behavior. IKE phase 1 SA information is NOT

  synchronized between the HA firewalls."

  And from the second link, "Data link (HA2) is used to sync sessions, forwarding tables, IPSec security associations, and ARP tables between firewalls in the HA pair. Data flow on the HA2 link is always unidirectional (except for the HA2 keep-

  alive). It flows from the active firewall to the passive firewall."

  https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000HAuZCA Wandlang=en_US%E2%80%A9andrefURL=http%3A%2F%2Fknowledgebase.paloaltonetworks .com%2FKCSArticleDetail

  https://help.aryaka.com/display/public/KNOW/Palo+Alto+Networks+NFV+Technical+Brief