Palo Alto Networks PCNSE Practice Test - Questions Answers, Page 25
List of questions
Related questions
Question 241
![Export Export](https://examgecko.com/assets/images/icon-download-24.png)
In an existing deployment, an administrator with numerous firewalls and Panorama does not see any WildFire logs in Panoram a. Each firewall has an active WildFire subscription On each firewall. WildFire togs are available.
This issue is occurring because forwarding of which type of logs from the firewalls to Panorama is missing?
Explanation:
Access to the WildFire logs from Panorama requires the following: a WildFire subscription, a File Blocking profile that is attached to a Security rule, and Threat log forwarding to Panorama.https://docs.paloaltonetworks.com/panorama/10-2/panorama-admin/monitor-network- activity/use-case-respond-to-an-incident-using-panorama/review-wildfire-logs
Question 242
![Export Export](https://examgecko.com/assets/images/icon-download-24.png)
Which source is the most reliable for collecting User-ID user mapping?
Explanation:
For collecting User-ID user mapping information, the most reliable and commonly used source is directory services, with Microsoft Active Directory being the predominant choice in many organizational environments.
C) Microsoft Active Directory:
Microsoft Active Directory is a directory service used for user authentication and authorization. It provides a comprehensive database of user accounts, groups, and other objects within an organization's network. Palo Alto Networks firewalls can integrate with Active Directory to obtain real-time user mapping information, which is crucial for implementing security policies based on user identity.
The integration involves monitoring Active Directory domain controllers for security logs that contain user login events, IP address mappings, and other relevant information. This allows the firewall to accurately and dynamically map user identities to IP addresses, enhancing the granularity and effectiveness of security policies.
Compared to other sources like Syslog Listener, Microsoft Exchange, or GlobalProtect, Active Directory offers direct and comprehensive insights into user activities and is therefore considered the most reliable source for User-ID user mapping in Palo Alto Networks environments.
Question 243
![Export Export](https://examgecko.com/assets/images/icon-download-24.png)
Where is Palo Alto Networks Device Telemetry data stored on a firewall with a device certificate installed?
Explanation:
Palo Alto Networks Device Telemetry data, collected from firewalls with a device certificate installed, is stored on Palo Alto Networks Update Servers. This telemetry data includes information about threats, device health, and other operational metrics that are crucial for the continuous improvement of security services and threat intelligence. The collected data is anonymized and securely transmitted to Palo Alto Networks, where it is used to enhance the overall effectiveness of threat identification and prevention capabilities across all deployed devices. This collaborative approach helps in keeping the security ecosystem updated and resilient against emerging threats.
Question 244
![Export Export](https://examgecko.com/assets/images/icon-download-24.png)
An engineer decides to use Panorama to upgrade devices to PAN-OS 10.2.
Which three platforms support PAN-OS 10 2? (Choose three.)
Explanation:
According to the Palo Alto Networks Compatibility Matrix1, the three platforms that support PAN-OS 10.2 are:
PA-800 Series2
PA-2202
PA-3400 Series2
The PA-5000 Series and PA-500 do not support PAN-OS 10.22.
To upgrade devices to PAN-OS 10.2 using Panorama, you need to determine the upgrade path3, upgrade Panorama itself4, and then upgrade the firewalls using Panorama5.
Question 245
![Export Export](https://examgecko.com/assets/images/icon-download-24.png)
An engineer configures SSL decryption in order to have more visibility to the internal users' traffic when it is regressing the firewall.
Which three types of interfaces support SSL Forward Proxy? (Choose three.)
Explanation:
SSL Forward Proxy is a feature that allows the firewall to decrypt and inspect outbound SSL traffic from internal users to external servers1. The firewall acts as a proxy (MITM) generating a new certificate for the accessed URL and presenting it to the client during SSL handshake2.
SSL Forward Proxy can be configured on any interface type that supports security policies, which are Layer 2, Virtual Wire, and Layer 3 interfaces1. These interface types allow the firewall to apply security profiles and URL filtering on the decrypted SSL traffic.
Question 246
![Export Export](https://examgecko.com/assets/images/icon-download-24.png)
An organization is interested in migrating from their existing web proxy architecture to the Web Proxy feature of their PAN-OS 11.0 firewalls. Currently. HTTP and SSL requests contain the c IP address of the web server and the client browser is redirected to the proxy Which PAN-OS proxy method should be configured to maintain this type of traffic flow?
Explanation:
A transparent proxy is a type of web proxy that intercepts and redirects HTTP and HTTPS requestswithout requiring any configuration on the client browser1. The firewall acts as a gateway betweenthe client and the web server, and performs security checks on the traffic.
A transparent proxy can be configured on PAN-OS 11.0 firewalls by performing the following steps1:
Enable Web Proxy under Device > Setup > Services
Select Transparent Proxy as the Proxy Type
Configure a Service Route for Web Proxy
Configure SSL/TLS Service Profile for Web Proxy
Configure Security Policy Rules for Web Proxy Traffic
By configuring a transparent proxy on PAN-OS 11.0 firewalls, an organization can migrate from their existing web proxy architecture without changing their network topology or client settings2. The firewall will maintain the same type of traffic flow as before, where HTTP and HTTPS requests contain the IP address of the web server and the client browser is redirected to the proxy1.
Answer A is not correct because DNS proxy is a type of web proxy that intercepts DNS queries from clients and resolves them using an external DNS server3. This type of proxy does not redirect HTTP or
HTTPS requests to the firewall.
Question 247
![Export Export](https://examgecko.com/assets/images/icon-download-24.png)
A company is deploying User-ID in their network. The firewall learn needs to have the ability to see and choose from a list of usernames and user groups directly inside the Panorama policies when creating new security rules How can this be achieved?
Explanation:
User-ID group mapping is a feature that allows Panorama to retrieve user and group information from directory services such as LDAP or Active Directory1. This information can be used to enforce security policies based on user identity and group membership.
To configure User-ID group mapping on Panorama, you need to perform the following steps1:
Select Panorama > User Identification > Group Mapping Settings
Click Add and enter a name for the server profile
Select a Server Type (LDAP or Active Directory)
Click Add and enter the server details (IP address, port number, etc.)
Click OK
Select Group Include List and click Add
Select the groups that you want to include in the group mapping
Click OK
Commit your changes
By configuring User-ID group mapping on Panorama, you can see and choose from a list of usernames and user groups directly inside the Panorama policies when creating new security rules2.
Question 248
![Export Export](https://examgecko.com/assets/images/icon-download-24.png)
After importing a pre-configured firewall configuration to Panorama, what step is required to ensure a commit/push is successful without duplicating local configurations?
Explanation:
When importing a pre-configured firewall configuration to Panorama, you need to perform the following steps12:
Add the serial number of the firewall under Panorama > Managed Devices In Panorama, import the firewall's configuration bundle under Panorama > Setup > Operations > Import device configuration to Panorama Make changes to the imported firewall configuration within Panorama Commit the changes you made to Panorama Perform an Export or push Device Config Bundle operation under Panorama > Setup > Operations The Export or push Device Config Bundle operation allows you to push a complete configuration bundle from Panorama to a managed firewall without duplicating local configurations3. This operation ensures that any local settings on the firewall are preserved and merged with the settings from Panorama.
Question 249
![Export Export](https://examgecko.com/assets/images/icon-download-24.png)
An engineer creates a set of rules in a Device Group (Panorama) to permit traffic to various services for a specific LDAP user group.
What needs to be configured to ensure Panorama can retrieve user and group information for use in these rules?
Explanation:
To configure LDAP authentication on Panorama, you need to23:
Define an LDAP server profile that specifies the connection details and credentials for accessing the LDAP server.
Define an authentication profile that references the LDAP server profile and defines how users authenticate to Panorama (such as username format and password expiration).
Define an authentication sequence (optional) that allows users to authenticate using multiple methods (such as local database, LDAP, RADIUS, etc.).
Assign the authentication profile or sequence to a Panorama administrator role or a device group role.
Question 250
![Export Export](https://examgecko.com/assets/images/icon-download-24.png)
An engineer is tasked with configuring SSL forward proxy for traffic going to external sites.
Which of the following statements is consistent with SSL decryption best practices?
Explanation:
According to the PCNSE Study Guide1, SSL forward proxy is a feature that allows the firewall to decrypt and inspect SSL traffic going to external sites. The firewall acts as a proxy between the client and the server, generating a certificate on the fly for each site.
The best practices for configuring SSL forward proxy are23:
Use a forward trust certificate that is signed by a certificate authority (CA) that is trusted by the clients. This certificate is used to sign certificates for sites that have valid certificates from trusted CAs. The clients will not see any certificate errors if they trust the forward trust certificate.
Use a forward untrust certificate that is not signed by a trusted CA. This certificate is used to sign certificates for sites that have invalid or untrusted certificates. The clients will see certificate errors if they do not trust the forward untrust certificate. This helps alert users of potential risks and prevent man-in-the-middle attacks.
Do not store the forward trust or untrust certificates on an HSM (hardware security module). The HSM does not support on-the-fly signing of certificates, which is required for SSL forward proxy.
Question