Palo Alto Networks Palo Alto Networks Certifications PCNSE Questions & Answers

• Question 81:

  Refer to the screenshots.

  

  Without the ability to use Context Switch, where do admin accounts need to be configured in order to provide admin access to Panorama and to the managed devices?

  A. The Panorama section overrides the Device section. The accounts need to be configured only in the Panorama section.

  B. The sections are independent. The accounts need to be configured in both the Device and Panorama sections.

  C. The Device section overrides Panorama section. The accounts need to be configured only in the Device section.

  D. Configuration in the sections is merged together. The accounts need to be configured in either section.

  Correct Answer: B

  https://docs.paloaltonetworks.com/panorama/10-1/panorama-admin/panorama-overview/centralized-firewall-configuration-and-update-management/context-switchfirewall-or-panorama

• Question 82:

  Engineer was tasked to simplify configuration of multiple firewalls with a specific set of configurations shared across all devices. Which two advantages would be gained by using multiple templates in a stack? (Choose two.)

  A. inherits address-objects from the templates

  B. standardizes server profiles and authentication configuration across all stacks

  C. standardizes log-forwarding profiles for security policies across all stacks

  D. defines a common standard template configuration for firewalls

  Correct Answer: BD

• Question 83:

  A firewall administrator needs to check which egress interface the firewall will use to route the IP 10.2.5.3. Which command should they use?

  A. test routing fib-lookup ip 10.2.5.0/24 virtual-router default

  B. test routing route ip 10.2.5.3

  C. test routing route ip 10.2.5.3 virtual-router default

  D. test routing fib-lookup ip 10.2.5.3 virtual-router default

  Correct Answer: D

  To determine the egress interface a Palo Alto Networks firewall will use to route a specific IP address, the appropriate command is test routing fib-lookup ip 10.2.5.3 virtual-router default . This command performs a Forwarding Information Base (FIB) lookup for the specified IP address within the context of the specified virtual router, which in this case is the default virtual router. The FIB lookup process checks the routing table and the associated forwarding information to determine the next-hop and the egress interface for the given IP address. This command is instrumental for troubleshooting and verifying routing decisions made by the firewall to ensure that traffic is routed as expected through the network infrastructure.

  https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClYJCA0

• Question 84:

  Your company wants greater visibility into their traffic and has asked you to start planning an SSL Decryption project. The company does not have a PKI infrastructure, and multiple certificates would be needed for this project. Which type of certificate can you use to generate other certificates?

  A. self-signed root CA

  B. external CA certificate

  C. server certificate

  D. device certificate

  Correct Answer: A

  https://docs.paloaltonetworks.com/best-practices/9-1/decryption-best-practices/decryption-best-practices/plan-ssl-decryption-best-practice-deployment

• Question 85:

  An engineer is troubleshooting a traffic-routing issue. What is the correct packet-flow sequence?

  A. PBF > Static route > Security policy enforcement

  B. BGP < PBF > NAT

  C. PBF > Zone Protection Profiles > Packet Buffer Protection

  D. NAT > Security policy enforcement > OSPF

  Correct Answer: A

  PBF > Static route > Security policy enforcement. This sequence describes the order of operations that the firewall performs when processing a packet. PBF stands for Policy-Based Forwarding, which is a feature that allows the firewall to override the routing table and forward traffic based on the source and destination addresses, application, user, or service. PBF is evaluated before the static route lookup, which is the default method of forwarding traffic based on the destination address and the longest prefix match. Security policy enforcement is the stage where the firewall applies the security policy rules to allow or block traffic based on various criteria, such as zone, address, port, user, application, etc. References: Policy-Based Forwarding, Packet Flow Sequence in PAN-OS

• Question 86:

  The following objects and policies are defined in a device group hierarchy.

  

  Dallas-Branch has Dallas-FW as a member of the Dallas-Branch device-group NYC-DC has NYC-FW as a member of the NYC-DC device-group

  What objects and policies will the Dallas-FW receive if "Share Unused Address and Service Objects" is enabled in Panorama?

  A. Address Objects -Shared Address1 -Branch Address1 Policies -Shared Policy1 -Branch Policy1

  B. Address Objects -Shared Address1 -Shared Address2 -Branch Address1 Policies -Shared Policy1 -Shared Policy2 -Branch Policy1

  C. Address Objects -Shared Address1 -Shared Address2 -Branch Address1 -DC Address1 Policies -Shared Policy1 -Shared Policy2 -Branch Policy1

  D. Address Objects -Shared Address1 -Shared Address2 -Branch Address1 Policies -Shared Policy1 -Branch Policy1

  Correct Answer: D

  Panorama will not push anything from Data-Centers group. That rules out C.

  Panorama will push all objects from "Shared", which rules out A.

  Note that the target of "Shared Policy 2" is NYC-FW, so this policy won't get pushed to Dallas-FW. This rules out B.

  Thus, answer is D.

• Question 87:

  Which component enables you to configure firewall resource protection settings?

  A. DoS Protection Profile

  B. QoS Profile

  C. Zone Protection Profile

  D. DoS Protection policy

  Correct Answer: A

• Question 88:

  Which feature of PAN-OS SD-WAN allows you to configure a bandwidth-intensive application to go directly to the internet through the branch's ISP link instead of going back to the data-center hub through the VPN tunnel, thus saving WAN bandwidth costs?

  A. SD-WAN Full Mesh with branches only

  B. SD-WAN direct internet access (DIA) links

  C. SD-WAN Interface profile

  D. VPN Cluster

  Correct Answer: B

  https://docs.paloaltonetworks.com/sd-wan/3-0/sd-wan-admin/sd-wan-overview/about-sd-wan

• Question 89:

  What is a feature of the PA-440 hardware platform?

  A. It supports Zero Touch Provisioning to assist in automated deployments.

  B. It supports 10GbE SFP+ modules.

  C. It has twelve 1GbE Copper ports.

  D. It has dedicated interfaces for high availability.

  Correct Answer: A

  https://docs.paloaltonetworks.com/panorama/10-2/panorama-admin/manage-firewalls/set-up-zero-touch-provisioning/ztp-overview/about-ztp

• Question 90:

  A Firewall Engineer is migrating a legacy firewall to a Palo Alto Networks firewall in order to use features like App-ID and SSL decryption. Which order of steps is best to complete this migration?

  A. First migrate SSH rules to App-ID; then implement SSL decryption.

  B. Configure SSL decryption without migrating port-based security rules to App-ID rules.

  C. First implement SSL decryption; then migrate port-based rules to App-ID rules.

  D. First migrate port-based rules to App-ID rules; then implement SSL decryption.

  Correct Answer: D

  Migrate from port-based to application-based Security policy rules before you create and deploy Decryption policy rules.

  https://docs.paloaltonetworks.com/best-practices/9-1/decryption-best-practices/decryption-best-practices/plan-ssl-decryption-best-practice-deployment