Palo Alto Networks PCNSE Practice Test - Questions Answers, Page 21

The **IKE crypto profile** is used to set up the encryption and authentication algorithms used for the key exchange process in IKE Phase 1, and lifetime of the keys, which specifies how long the keys are valid. To invoke the profile, you must attach it to the IKE Gateway configuration. The **IPSec crypto profile** is invoked in IKE Phase 2. It specifies how the data is secured within the tunnel when Auto Key IKE is used to automatically generate keys for the IKE SAs.

https://docs.paloaltonetworks.com/vm-series/10-0/vm-series-deployment/set-up-the-vm-series- firewall-on-nsx/set-up-the-vm-series-firewall-on-vmware-nsx/dynamically-quarantine-infected- guests.html#id8e9a242e-e038-4ba2-b0ea-eaaf53690be0

The screenshot shows the threat log which records the traffic that matches a threat signature or is blocked by a security profile. The log entry indicates that the traffic was allowed by the security policy rule "Allow-All" but was denied by the vulnerability protection profile "strict" as a threat. The threat name is "Microsoft Windows SMBv1 Multiple Vulnerabilities (MS17-010: EternalBlue)" and the action is "reset-both" which means that the firewall reset both the client and server connections.Reference: : https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/monitoring/use-syslog- for-monitoring/syslog-field-descriptions/threat-log-fields

The addresses used in destination NAT rules always refer to the original IP address in the packet (that is, the pre-translated address). The destination zone in the NAT rule is determined after the route lookup of the destination IP address in the original packet (that is, the pre-NAT destination IP address). The addresses in the security policy also refer to the IP address in the original packet (that is, the pre-NAT address). However, the destination zone is the zone where the end host is physically connected. In other words, the destination zone in the security rule is determined after the routelookup of the post-NAT destination IP address. https://docs.paloaltonetworks.com/pan-os/9-1/pan- os-admin/networking/nat/ nat-configuration-examples/destination-nat-exampleone-to-one-mapping

To address the issue of excessive SSL traffic, the administrator should configure QoS on both the ingress and egress interfaces for the traffic flows. This will allow the administrator to control the bandwidth allocation and priority of different applications based on their QoS classes. The administrator should also define a QoS profile that specifies the traffic classes and their guaranteed bandwidth percentages. The QoS profile can then be applied to a QoS policy rule that matches the SSL traffic based on source and destination zones or other criteria. Reference: :https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/quality-of-service/configure-qos

https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/url-filtering/allow-password-access- to-certain-sites#id7e63ce07-8b30-4506-a1e3-5800303954e

A. System Logs: The system logs contain information about various events that occur on the firewall, including the commit process. The administrator can review the system logs to verify whether the commit completed successfully or whether there were any errors or warnings during the commit process.

B. Task Manager: The task manager displays a list of all active tasks on the firewall, including the commit task. The administrator can use the task manager to check the status of the commit task, including whether it is in progress, completed successfully, or failed.

Administrative distance is the measure of trustworthiness of a routing protocol. It is used to determine the best path when multiple routes to the same destination exist. The route with the lowest administrative distance is chosen as the best route.

When the same route appears in the routing table three times using three different protocols, the mechanism that determines which route the firewall chooses to use is the administrative distance.

This is explained in the Palo Alto Networks PCNSE Study Guide in Chapter 6: Routing, under the section "Route Selection":

"Administrative distance is a value assigned to each protocol that the firewall uses to determine which route to use if multiple protocols provide routes to the same destination. The route with the lowest administrative distance is preferred."

This is discussed in the Palo Alto Networks PCNSE Study Guide in Chapter 9: Decryption, under the section "SSL Forward Proxy and Inbound Inspection Certificates":

"When importing SSL decryption certificates, you need to provide private keys for the forward trust, forward untrust, and end-entity (leaf) certificates. You do not need to provide private keys for the root CA and intermediate certificates."