Palo Alto Networks PCNSE Online Practice Questions and Exam Preparation

Palo Alto Networks PCNSE Online Questions & Answers

• Question 791:

  When a malware-infected host attempts to resolve a known command-and-control server, the traffic matches a security policy with DNS sinhole enabled, generating a traffic log.

  What will be the destination IP Address in that log entry?

  A. The IP Address of sinkhole.paloaltonetworks.com
  B. The IP Address of the command-and-control server
  C. The IP Address specified in the sinkhole configuration
  D. The IP Address of one of the external DNS servers identified in the anti-spyware database
  C. The IP Address specified in the sinkhole configuration

  ---

  Explanation

  https://live.paloaltonetworks.com/t5/Management-Articles/How-to-Verify-DNS-Sinkhole-Function-is-Working/ta-p/65864

• Question 792:

  A Security policy rule is configured with a Vulnerability Protection Profile and an action of `Deny". Which action will this cause configuration on the matched traffic?

  A. The configuration is invalid. The Profile Settings section will be grayed out when the Action is set to "Deny".
  B. The configuration will allow the matched session unless a vulnerability signature is detected. The "Deny" action will supersede theper-severity defined actions defined in the associated Vulnerability Protection Profile.
  C. The configuration is invalid. It will cause the firewall to skip this Security policy rule. A warning will be displayed during a commit.
  D. The configuration is valid. It will cause the firewall to deny the matched sessions. Any configured Security Profiles have no effect if the Security policy rule action is set to "Deny."
  D. The configuration is valid. It will cause the firewall to deny the matched sessions. Any configured Security Profiles have no effect if the Security policy rule action is set to "Deny."

  ---

  Explanation

  "Security profiles are not used in the match criteria of a traffic flow. The security profile is applied to scan traffic after the application or category is allowed by the security policy." https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-admin/ policy/security-profiles.html#

• Question 793:

  Which new PAN-OS 11.0 feature supports IPv6 traffic?

  A. DHCPv6 Client with Prefix Delegation
  B. OSPF
  C. DHCP Server
  D. IKEvI
  A. DHCPv6 Client with Prefix Delegation

  ---

  Explanation

  According to the Palo Alto Networks documentation1, DHCPv6 Client with Prefix Delegation is a new feature in PAN-OS 11.0 that supports IPv6 traffic. This feature allows configuring an interface as a DHCPv6 client with prefix delegation,

  which enables the interface to obtain an IPv6 prefix from a DHCPv6 server and assign IPv6 addresses to other interfaces on the firewall or downstream devices. Therefore, the correct answer is A. The other options are not new features in

  PAN-OS 11.0 that support IPv6 traffic:

  OSPF: This option is not a new feature in PAN-OS 11.0. OSPF is a routing protocol that supports both IPv4 and IPv6 traffic. It has been supported by PAN-OS since version 4.12. DHCP Server: This option is not a new feature in PAN-OS

  11.0. DHCP Server is a feature that allows the firewall to act as a DHCP server and assign IP addresses to clients. It supports both IPv4 and IPv6 traffic. It has been supported by PAN-OS since version 5.03. IKEv1: This option is not a new feature in PAN-OS 11.0. IKEv1 is a protocol that supports both IPv4 and IPv6 traffic for establishing VPN tunnels. It has been supported by PAN-OS since version 3.04.

  References: https://docs.paloaltonetworks.com/pan-os/11-0/pan-os-new-features/networking-features/dhcpv6-client-with-prefix-delegation https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/networking/routing/open-shortest-path-first-ospf https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/networking/dhcp/configure-a-dhcp-server https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/vpn/set-up-site-to-site-vpn/set-up-an-ike-gateway

• Question 794:

  During the packet flow process, which two processes are performed in application identification? (Choose two.)

  A. pattern based application identification
  B. application changed from content inspection
  C. session application identified
  D. application override policy match
  A. pattern based application identification
  D. application override policy match

  ---

  Explanation

• Question 795:

  Starting with PAN-OS version 9.1, application dependency information is now reported in which new locations? (Choose two.)

  A. On the App Dependency tab in the Commit Status window
  B. On the Application tab in the Security Policy Rule creation window
  C. On the Objects > Applications browsers pages
  D. On the Policy Optimizer's Rule Usage page
  A. On the App Dependency tab in the Commit Status window
  B. On the Application tab in the Security Policy Rule creation window

  ---

  Explanation

  https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/app-id/use-application-objects-in-policy/resolve-application-dependencies.html

• Question 796:

  An engineer is bootstrapping a VM-Series Firewall Other than the 'config folder, which three directories are mandatory as part of the bootstrap package directory structure? (Choose three.)

  A. /software
  B. /opt
  C. /license
  D. /content
  E. /plugins
  A. /software
  C. /license
  D. /content

  ---

  Explanation

  https://docs.paloaltonetworks.com/vm-series/9-1/vm-series-deployment/bootstrap-the-vm-series-firewall/prepare-the-bootstrap-package

• Question 797:

  An administrator needs to determine why users on the trust zone cannot reach certain websites. The only information available is shown on the following image. Which configuration change should the administrator make?

  

  A. Option A
  B. Option B
  C. Option C
  D. Option D
  E. Option E
  B. Option B

  ---

  Explanation

• Question 798:

  An administrator is troubleshooting application traffic that has a valid business use case, and observes the following decryption log message: "Received fatal alert UnknownCA from client."

  How should the administrator remediate this issue?

  A. Contact the site administrator with the expired certificate to request updates or renewal.
  B. Enable certificate revocation checking to deny access to sites with revoked certificates. -"
  C. Add the server's hostname to the SSL Decryption Exclusion List to allow traffic without decryption.
  D. Check for expired certificates and take appropriate actions to block or allow access based on business needs.
  C. Add the server's hostname to the SSL Decryption Exclusion List to allow traffic without decryption.

  ---

  Explanation

• Question 799:

  Several offices are connected with VPNs using static IPV4 routes. An administrator has been tasked with implementing OSPF to replace static routing. Which step is required to accoumplish this goal?

  A. Assign an IP address on each tunnel interface at each site
  B. Enable OSPFv3 on each tunnel interface and use Area ID 0.0.0.0
  C. Assign OSPF Area ID 0.0.0.0 to all Ethernet and tunnel interfaces
  D. Create new VPN zones at each site to terminate each VPN connection
  C. Assign OSPF Area ID 0.0.0.0 to all Ethernet and tunnel interfaces

  ---

  Explanation

• Question 800:

  A company has configured a URL Filtering profile with override action on their firewall. Which two profiles are needed to complete the configuration? (Choose two)

  A. SSUTLS Service
  B. HTTP Server
  C. Decryption
  D. Interface Management
  A. SSUTLS Service
  D. Interface Management

  ---

  Explanation

  https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClRdCAK https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/url-filtering/configure-url-filtering https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/url-filtering/allow-password-access-to-certain-sites#id7e63ce07-8b30-4506-a1e3-5800303954e8