Palo Alto Networks PCNSE Practice Test - Questions Answers, Page 11
List of questions
Related questions
Question 101

A firewall administrator needs to be able to inspect inbound HTTPS traffic on servers hosted in theirDMZ to prevent the hosted service from being exploited. Which combination of features can allowPAN-OS to detect exploit traffic in a session with TLS encapsulation?
Explanation:
A vulnerability protection profile enables the firewall to detect and prevent exploit attempts against known vulnerabilities in network protocols and applications. A decryption policy allows the firewall to decrypt and inspect inbound HTTPS traffic for potential threats. A data filtering profile is used for detecting and controlling the transfer of sensitive data such as credit card numbers or social security numbers. A WildFire profile is used for submitting unknown files or email links to the WildFire cloud for analysis and verdict. A file blocking profile is used for blocking or allowing the transfer of files based on their type, direction, or application. A QoS policy is used for managing the bandwidth allocation and priority of network traffic based on various criteria. Reference: https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/decryption/decryption-concepts/ssl- inbound-inspection https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/threat-prevention/set-up- vulnerability-protection.html
Question 102

Which two statements correctly describe Session 380280? (Choose two.)
Explanation:
The session went through SSL decryption processing because the Decryption column shows a green check mark, indicating that the firewall decrypted the traffic and applied security policies. The application has been identified as web-browsing because the Application column shows web- browsing as the application name. The session has not ended yet because the Session End Reason column shows N/A, indicating that the session is still active. The session did go through SSL decryption processing, so option D is incorrect. Reference: https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-web-interface-help/monitor/monitor- network/monitor-sessions
Question 103

While analyzing the Traffic log, you see that some entries show "unknown-tcp" in the Application column What best explains these occurrences?
Explanation:
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClibCAC#:~:text=un known%2Dtcp%3A,firewall%20does%20not%20have%20signatures.Unknown-tcp means the firewall captured the three-way TCP handshake, but the application was not identified. This may be due to the use of a custom application for which the firewall does not have signatures
Question 104

A firewall should be advertising the static route 10.2.0.0/24 Into OSPF. The configuration on the neighbor is correct, but the route is not in the neighbor's routing table.
Which two configurations should you check on the firewall? (Choose two.)
Explanation:
A redistribution profile defines which routes from one routing protocol are redistributed into another routing protocol. In the OSPF configuration, the OSPF Export Rules section allows you to select which redistribution profiles to apply for exporting routes into OSPF. Within the redistribution profile, you need to select Redist as the option to redistribute the routes that match the profile filter. If you select No Redist, the routes that match the profile filter will not be redistributed.
Ensuring that the OSPF neighbor state is "2-Way" is not relevant for advertising a static route into OSPF, as this state indicates that the neighbor relationship is established but not synchronized. In the redistribution profile, the source type should be set to "static" if you want to redistribute a static route into OSPF, not "ospf". Reference: https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-networking-admin/route- redistribution/configure-route-redistribution https:// knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClfnCAC
Question 105

Which statement best describes the Automated Commit Recovery feature?
Explanation:
https://docs.paloaltonetworks.com/panorama/10-2/panorama-admin/administer- panorama/enable-automated-commit-recoveryThe Automated Commit Recovery feature enables the firewall to automatically revert to a previous configuration if a commit operation causes connectivity loss between the firewall and Panorama. The feature performs a connectivity check between the firewall and Panorama after every configuration commit on the firewall. If the check fails, the firewall reverts to the last known good configuration and restores connectivity with Panorama. The feature does not restore the running configuration on a firewall or Panorama if the last commit fails, as this would require manual intervention. The feature does not revert the configuration changes on Panorama, as Panorama is not affected by the commit operation on the firewall. Reference: https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-new-features/panorama- features/ automatic-panorama-connection-recovery https://docs.paloaltonetworks.com/panorama/10-1/panorama-admin/administer- panorama/enable-automated-commit-recovery
Question 106

A firewall administrator wants to avoid overflowing the company syslog server with traffic logs.
What should the administrator do to prevent the forwarding of DNS traffic logs to syslog?
Explanation:
A log forwarding profile defines which logs are forwarded to which destinations, such as syslog servers. By creating a filter with application not equal to DNS, the log forwarding profile will exclude DNS traffic logs from being forwarded to syslog. Disabling logging on security rules allowing DNS will prevent the firewall from generating any logs for DNS traffic, which may not be desirable. Creating a security rule to deny DNS traffic with the syslog server in the destination will block the communication between the firewall and the syslog server, which may affect other logs. Creating a filter with application equal to DNS will forward only DNS traffic logs to syslog, which is the opposite of what is required.
Reference: https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/monitoring/configure-log-forwarding https://docs.paloaltonetworks.com/network-security/security-policy/objects/log-forwarding
Question 107

An engineer is planning an SSL decryption implementation
Which of the following statements is a best practice for SSL decryption?
Explanation:
https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/decryption/configure-ssl-forward- proxy(Best Practice) Enterprise CA-signed CertificatesóAn enterprise CA can issue a signing certificate that the firewall can use to sign the certificates for sites which require SSL decryption. When the firewall trusts the CA that signed the certificate of the destination server, the firewall can send a copy of the destination server certificate to the client, signed by the enterprise CA.
This is a best practice because usually all network devices already trust the Enterprise CA (it is usually already installed in the devices' CA Trust storage), so you don't need to deploy the certificate on the endpoints, so therollout process is smoother. https://docs.paloaltonetworks.com/pan-os/10-1/pan-os- admin/decryption/configure-ssl-forward-proxy.html
Question 108

An administrator needs to optimize traffic to prefer business-critical applications over non-critical applications QoS natively integrates with which feature to provide service quality?
Explanation:
QoS natively integrates with App-ID, which is a feature that identifies applications based on their unique characteristics and behaviors, regardless of port, protocol, encryption, or evasive tactics. By using App-ID, QoS can prioritize or limit traffic based on the application name, category, subcategory, technology, or risk level. Certificate revocation is a process of invalidating digital certificates that are no longer trusted or secure. Content-ID is a feature that scans content and data within allowed applications for threats and sensitive data. Port inspection is a method of identifying applications based on the TCP or UDP port numbers they use, which is not reliable or granular enough for QoS purposes. Reference:
https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/quality-of-service/configure-qos https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/app-id
Question 109

What can an engineer use with GlobalProtect to distribute user-specific client certificates to each GlobalProtect user?
Explanation:
If you have a Simple Certificate Enrollment Protocol (SCEP) server in your enterprise PKI, you can configure a SCEP profile to automate the generation and distribution of unique client certificates.https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/certificate-management/obtain- certificates/deploy-certificates-using-scep
Question 110

Which three actions can Panorama perform when deploying PAN-OS images to its managed devices?
(Choose three.)
Explanation:
Panorama can perform three actions when deploying PAN-OS images to its managed devices: upload-only, upload and install, and upload and install and reboot. Upload-only transfers the PAN-OS image from Panorama to the managed device without installing it. Upload and install transfers the PAN-OS image from Panorama to the managed device and installs it, but does not reboot the device.Upload and install and reboot transfers the PAN-OS image from Panorama to the managed device, installs it, and reboots the device. Verify and install is not a valid action for deploying PAN-OS images from Panorama. Install and reboot is not a valid action for deploying PAN-OS images from Panorama, as the image needs to be uploaded first. Reference: https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/panorama/panorama-device- deployment/manage-software-and-content-updates https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Cles
Question