Palo Alto Networks Palo Alto Networks Certifications PCNSE Questions & Answers

• Question 71:

  Which statement is true regarding a heatmap in a BPA report?

  A. When guided by authorized sales engineer, it helps determine the areas of the greatest security risk.

  B. It runs only on firewalls.

  C. It provides a percentage of adoption for each assessment area.

  D. It provides a set of questionnaires that help uncover security risk prevention gaps across all areas of network and security architecture.

  Correct Answer: C

  https://docs.paloaltonetworks.com/best-practices/10-2/data-center-best-practices/data-center-best-practice-security-policy/use-palo-alto-networks-assessment-and-review-tools

• Question 72:

  A network administrator created an intrazone Security policy rule on the firewall. The source zones were set to IT, Finance, and HR. Which two types of traffic will the rule apply to? (Choose two.)

  A. traffic between zone Finance and zone HR

  B. traffic between zone IT and zone Finance

  C. traffic within zone HR

  D. traffic within zone IT

  Correct Answer: CD

  When a rule is configured as "intrazone", the "destination zone" cannot be changed (greyed out). Its value comes from the "source zone".

• Question 73:

  An engineer wants to forward all decrypted traffic on a PA-850 firewall to a forensic tool with a decrypt mirror interface. Which statement is true regarding the configuration of the Decryption Port Mirroring feature?

  A. The engineer should install the Decryption Port Mirror license and reboot the firewall.

  B. The PA-850 firewall does not support decrypt mirror interface, so the engineer needs to upgrade the firewall to PA-3200 series.

  C. The engineer must assign an IP from the same subnet with the forensic tool to the decrypt mirror interface.

  D. The engineer must assign the related virtual-router to the decrypt mirror interface.

  Correct Answer: A

  https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/decryption/configure-decryption-port-mirroring

• Question 74:

  An administrator wants to prevent users from unintentionally accessing malicious domains where data can be exfiltrated through established connections to remote systems. From the Pre-defined Categories tab within the URL Filtering profile what is the right configuration to prevent such connections?

  A. Set the malware category to block

  B. Set the Command and Control category to block

  C. Set the phishing category to override

  D. Set the hacking category to continue

  Correct Answer: B

  https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/url-filtering/url-categories/url-category-best-practices

• Question 75:

  In order to fulfill the corporate requirement to back up the configuration of Panorama and the Panorama-managed firewalls securely which protocol should you select when adding a new scheduled config export?

  A. HTTPS

  B. FTP

  C. SMB v3

  D. SCP

  Correct Answer: D

  https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-web-interface-help/panorama-web-interface/panorama-scheduled-config-export "Select the protocol to use to export logs from Panorama to a remote host. Secure Copy (SCP) is a secure protocol; FTP is not."

• Question 76:

  An administrator is assisting a security engineering team with a decryption rollout for inbound and forward proxy traffic. Incorrect firewall sizing is preventing the team from decrypting all of the traffic they want to decrypt.

  Which three items should be prioritized for decryption? (Choose three.)

  A. Financial, health, and government traffic categories

  B. Less-trusted internal IP subnets

  C. Known malicious IP space

  D. High-risk traffic categories

  E. Public-facing servers

  Correct Answer: BDE

• Question 77:

  What is the best description of the Cluster Synchronization Timeout (min)?

  A. The maximum interval between hello packets that are sent to verify that the HA functionality on the other firewall is operational

  B. The maximum time that the local firewall waits before going to Active state when another cluster member is preventing the cluster from fully synchronizing

  C. The timeframe within which the firewall must receive keepalives from a cluster member to know that the cluster member is functional

  D. The time that a passive or active-secondary firewall will wait before taking over as the active or active-primary firewall

  Correct Answer: B

  The best description of the Cluster Synchronization Timeout (min) is the maximum time that the local firewall waits before going to Active state when another cluster member is preventing the cluster from fully synchronizing. This is a parameter that can be configured in an HA cluster, which is a group of firewalls that share session state and provide high availability and scalability. The Cluster Synchronization Timeout (min) determines how long the local firewall will wait for the cluster to reach a stable state before it decides to become Active and process traffic. A stable state means that all cluster members are either Active or Passive, and have synchronized their sessions with each other. If there is another cluster member that is in an unknown or unstable state, such as Initializing, Non-functional, or Suspended, then it may prevent the cluster from fully synchronizing and cause a delay in traffic processing. The Cluster Synchronization Timeout (min) can be set to a value between 0 and 30 minutes, with a default of 0. If it is set to 0, then the local firewall will not wait for any other cluster member and will immediately go to Active state. If it is set to a positive value, then the local firewall will wait for that amount of time before going to Active state, unless the cluster reaches a stable state earlier. References: Configure HA Clustering, PCNSE Study Guide (page 53)

• Question 78:

  How is an address object of type IP range correctly defined?

  A. 192 168 40 1-192 168 40 255

  B. 192.168 40 1/24

  C. 192.168 40 1, 192.168 40.255

  D. 192 168 40 1-255

  Correct Answer: A

  https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/policy/use-address-object-to-represent-ip-addresses/create-an-address-object

• Question 79:

  Which firewall feature do you need to configure to query Palo Alto Networks service updates over a data-plane interface instead of the management interface?

  A. service route

  B. data redistribution

  C. SNMP setup

  D. dynamic updates

  Correct Answer: A

  Service route is used when you need to modify the interface (management by default) from which to reach certain services.

• Question 80:

  A client is concerned about web shell attacks against their servers. Which profile will protect the individual servers?

  A. Anti-Spyware profile

  B. Zone Protection profile

  C. DoS Protection profile

  D. Antivirus profile

  Correct Answer: A

  Web shell attacks are part of the Spyware Signatures. https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/threat-prevention/threat-signatures