PCNSE : Palo Alto Networks Certified Network Security Engineer : Part 06

PCNSE : Palo Alto Networks Certified Network Security Engineer : Part 06

1. Which three user authentication services can be modified to provide the Palo Alto Networks NGFW with both usernames and role names? (Choose three.)

   • TACACS+
   • Kerberos
   • PAP
   • LDAP
   • SAML
   • RADIUS

   Explanation:

   Reference:
   https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-admin/firewall-administration/manage-firewall-administrators/administrative-authentication

2. What is exchanged through the HA2 link?

   • hello heartbeats
   • User-ID information
   • session synchronization
   • HA state information
   Explanation:
   Reference: https://www.paloaltonetworks.com/documentation/80/pan-os/pan-os/high-availability/ha-concepts/ha-links-and-backup-links

3. Which prerequisite must be satisfied before creating an SSH proxy Decryption policy?

   • Both SSH keys and SSL certificates must be generated.
   • No prerequisites are required.
   • SSH keys must be manually generated.
   • SSL certificates must be generated.
   Explanation:
   Reference: https://www.paloaltonetworks.com/documentation/80/pan-os/pan-os/decryption/configure-ssh-proxy

4. A customer wants to combine multiple Ethernet interfaces into a single virtual interface using link aggregation.

   Which two formats are correct for naming aggregate interfaces? (Choose two.)

   • ae.8
   • aggregate.1
   • ae.1
   • aggregate.8

5. Which three authentication factors does PAN-OS® software support for MFA? (Choose three.)

   • Push
   • Pull
   • Okta Adaptive
   • Voice
   • SMS
   Explanation:
   Reference: https://www.paloaltonetworks.com/documentation/80/pan-os/pan-os/authentication/configure-multi-factor-authentication

6. VPN traffic intended for an administrator’s firewall is being maliciously intercepted and retransmitted by the interceptor.

   When creating a VPN tunnel, which protection profile can be enabled to prevent this malicious behavior?

   • Zone Protection
   • Replay
   • Web Application
   • DoS Protection

7. Which Zone Pair and Rule Type will allow a successful connection for a user on the Internet zone to a web server hosted on the DMZ zone? The web server is reachable using a Destination NAT policy in the Palo Alto Networks firewall.

   • 

   • 

   • 

   • 

8. An administrator has configured a QoS policy rule and a QoS Profile that limits the maximum allowable bandwidth for the YouTube application. However, YouTube is consuming more than the maximum bandwidth allotment configured.

   Which configuration step needs to be configured to enable QoS?

   • Enable QoS interface
   • Enable QoS in the Interface Management Profile
   • Enable QoS Data Filtering Profile
   • Enable QoS monitor

9. Which log file can be used to identify SSL decryption failures?

   • Traffic
   • ACC
   • Configuration
   • Threats

10. A customer wants to set up a site-to-site VPN using tunnel interfaces.

    Which two formats are correct for naming tunnel interfaces? (Choose two.)

    • tunnel.1
    • vpn-tunnel.1
    • tunnel.1025
    • vpn-tunnel.1024

11. Based on the following image, what is the correct path of root, intermediate, and end-user certificate?

    

    • Palo Alto Networks > Symantec > VeriSign
    • VeriSign > Symantec > Palo Alto Networks
    • Symantec > VeriSign > Palo Alto Networks
    • VeriSign > Palo Alto Networks > Symantec

12. An administrator wants a new Palo Alto Networks NGFW to obtain automatic application updates daily, so it is configured to use a scheduler for the application database. Unfortunately, they required the management network to be isolated so that it cannot reach the Internet.

    Which configuration will enable the firewall to download and install application updates automatically?

    • Download and install application updates cannot be done automatically if the MGT port cannot reach the Internet.
    • Configure a service route for Palo Alto Networks Services that uses a dataplane interface that can route traffic to the Internet, and create a Security policy rule to allow the traffic from that interface to the update servers if necessary.
    • Configure a Policy Based Forwarding policy rule for the update server IP address so that traffic sourced from the management interfaced destined for the update servers goes out of the interface acting as your Internet connection.
    • Configure a Security policy rule to allow all traffic to and from the update servers.

13. A company wants to install a NGFW firewall between two core switches on a VLAN trunk link. They need to assign each VLAN to its own zone and to assign untagged (native) traffic to its own zone.

    Which option differentiates multiple VLANs into separate zones?

    • Create V-Wire objects with two V-Wire interfaces and define a range of “0-4096” in the “Tag Allowed” field of the V-Wire object.
    • Create V-Wire objects with two V-Wire subinterfaces and assign only a single VLAN ID to the “Tag Allowed” field of the V-Wire object. Repeat for every additional VLAN and use a VLAN ID of 0 for untagged traffic. Assign each interface/subinterface to a unique zone.
    • Create Layer 3 subinterfaces that are each assigned to a single VLAN ID and a common virtual router. The physical Layer 3 interface would handle untagged traffic. Assign each interface/subinterface to a unique zone. Do not assign any interface an IP address.
    • Create VLAN objects for each VLAN and assign VLAN interfaces matching each VLAN ID. Repeat for every additional VLAN and use a VLAN ID of 0 for untagged traffic. Assign each interface/subinterface to a unique zone.

14. Which data flow describes redistribution of user mappings?

    • User-ID agent to firewall
    • Domain Controller to User-ID agent
    • User-ID agent to Panorama
    • firewall to firewall

15. Where can an administrator see both the management plane and data plane CPU utilization in the WebUI?

    • System Utilization log
    • System log
    • Resources widget
    • CPU Utilization widget

16. Which four NGFW multi-factor authentication factors are supported by PAN-OS®? (Choose four.)

    • Short message service
    • Push
    • User logon
    • Voice
    • SSH key
    • One-Time Password
    Explanation:
    Reference: https://www.paloaltonetworks.com/documentation/80/pan-os/pan-os/authentication/configure-multi-factor-authentication

17. Which two features does PAN-OS® software use to identify applications? (Choose two.)

    • transaction characteristics
    • session number
    • port number
    • application layer payload

18. An administrator wants to upgrade a firewall from PAN-OS® 9.1 to PAN-OS® 10.0. The firewall is not a part of an HA pair.

    What needs to be updated first?

    • Applications and Threats
    • XML Agent
    • WildFire
    • PAN-OS Upgrade Agent

19. When backing up and saving configuration files, what is achieved using only the firewall and is not available in Panorama?

    • Load configuration version
    • Save candidate config
    • Export device state
    • Load named configuration snapshot

20. Which two settings can be configured only locally on the firewall and not pushed from a Panorama template or template stack? (Choose two.)

    • HA1 IP Address
    • Master Key
    • Zone Protection Profile
    • Network Interface Type