Palo Alto Networks PCNSE Practice Test - Questions Answers, Page 11

The session went through SSL decryption processing because the Decryption column shows a green check mark, indicating that the firewall decrypted the traffic and applied security policies. The application has been identified as web-browsing because the Application column shows web- browsing as the application name. The session has not ended yet because the Session End Reason column shows N/A, indicating that the session is still active. The session did go through SSL decryption processing, so option D is incorrect. Reference: https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-web-interface-help/monitor/monitor- network/monitor-sessions

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClibCAC#:~:text=un known%2Dtcp%3A,firewall%20does%20not%20have%20signatures.Unknown-tcp means the firewall captured the three-way TCP handshake, but the application was not identified. This may be due to the use of a custom application for which the firewall does not have signatures

A redistribution profile defines which routes from one routing protocol are redistributed into another routing protocol. In the OSPF configuration, the OSPF Export Rules section allows you to select which redistribution profiles to apply for exporting routes into OSPF. Within the redistribution profile, you need to select Redist as the option to redistribute the routes that match the profile filter. If you select No Redist, the routes that match the profile filter will not be redistributed.

Ensuring that the OSPF neighbor state is "2-Way" is not relevant for advertising a static route into OSPF, as this state indicates that the neighbor relationship is established but not synchronized. In the redistribution profile, the source type should be set to "static" if you want to redistribute a static route into OSPF, not "ospf". Reference: https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-networking-admin/route- redistribution/configure-route-redistribution https:// knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClfnCAC

https://docs.paloaltonetworks.com/panorama/10-2/panorama-admin/administer- panorama/enable-automated-commit-recoveryThe Automated Commit Recovery feature enables the firewall to automatically revert to a previous configuration if a commit operation causes connectivity loss between the firewall and Panorama. The feature performs a connectivity check between the firewall and Panorama after every configuration commit on the firewall. If the check fails, the firewall reverts to the last known good configuration and restores connectivity with Panorama. The feature does not restore the running configuration on a firewall or Panorama if the last commit fails, as this would require manual intervention. The feature does not revert the configuration changes on Panorama, as Panorama is not affected by the commit operation on the firewall. Reference: https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-new-features/panorama- features/ automatic-panorama-connection-recovery https://docs.paloaltonetworks.com/panorama/10-1/panorama-admin/administer- panorama/enable-automated-commit-recovery

A log forwarding profile defines which logs are forwarded to which destinations, such as syslog servers. By creating a filter with application not equal to DNS, the log forwarding profile will exclude DNS traffic logs from being forwarded to syslog. Disabling logging on security rules allowing DNS will prevent the firewall from generating any logs for DNS traffic, which may not be desirable. Creating a security rule to deny DNS traffic with the syslog server in the destination will block the communication between the firewall and the syslog server, which may affect other logs. Creating a filter with application equal to DNS will forward only DNS traffic logs to syslog, which is the opposite of what is required.

Reference: https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/monitoring/configure-log-forwarding https://docs.paloaltonetworks.com/network-security/security-policy/objects/log-forwarding

https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/decryption/configure-ssl-forward- proxy(Best Practice) Enterprise CA-signed CertificatesóAn enterprise CA can issue a signing certificate that the firewall can use to sign the certificates for sites which require SSL decryption. When the firewall trusts the CA that signed the certificate of the destination server, the firewall can send a copy of the destination server certificate to the client, signed by the enterprise CA.

This is a best practice because usually all network devices already trust the Enterprise CA (it is usually already installed in the devices' CA Trust storage), so you don't need to deploy the certificate on the endpoints, so therollout process is smoother. https://docs.paloaltonetworks.com/pan-os/10-1/pan-os- admin/decryption/configure-ssl-forward-proxy.html

QoS natively integrates with App-ID, which is a feature that identifies applications based on their unique characteristics and behaviors, regardless of port, protocol, encryption, or evasive tactics. By using App-ID, QoS can prioritize or limit traffic based on the application name, category, subcategory, technology, or risk level. Certificate revocation is a process of invalidating digital certificates that are no longer trusted or secure. Content-ID is a feature that scans content and data within allowed applications for threats and sensitive data. Port inspection is a method of identifying applications based on the TCP or UDP port numbers they use, which is not reliable or granular enough for QoS purposes. Reference:

https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/quality-of-service/configure-qos https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/app-id

If you have a Simple Certificate Enrollment Protocol (SCEP) server in your enterprise PKI, you can configure a SCEP profile to automate the generation and distribution of unique client certificates.https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/certificate-management/obtain- certificates/deploy-certificates-using-scep

Panorama can perform three actions when deploying PAN-OS images to its managed devices: upload-only, upload and install, and upload and install and reboot. Upload-only transfers the PAN-OS image from Panorama to the managed device without installing it. Upload and install transfers the PAN-OS image from Panorama to the managed device and installs it, but does not reboot the device.Upload and install and reboot transfers the PAN-OS image from Panorama to the managed device, installs it, and reboots the device. Verify and install is not a valid action for deploying PAN-OS images from Panorama. Install and reboot is not a valid action for deploying PAN-OS images from Panorama, as the image needs to be uploaded first. Reference: https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/panorama/panorama-device- deployment/manage-software-and-content-updates https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Cles