PCNSE : Palo Alto Networks Certified Network Security Engineer : Part 09

PCNSE : Palo Alto Networks Certified Network Security Engineer : Part 09

1. Which two events trigger the operation of automatic commit recovery? (Choose two.)

   • when an aggregate Ethernet interface component fails
   • when Panorama pushes a configuration
   • when a firewall performs a local commit
   • when a firewall HA pair fails over

   Explanation:

   Reference:

   https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-new-features/panorama-features/automatic-panorama-connection-recovery.html

2. Panorama provides which two SD-WAN functions? (Choose two.)

   • network monitoring
   • control plane
   • data plane
   • physical network links

3. Updates to dynamic user group membership are automatic therefore using dynamic user groups instead of static group objects allows you to:

   • respond to changes in user behaviour or potential threats using manual policy changes
   • respond to changes in user behaviour or potential threats without manual policy changes
   • respond to changes in user behaviour or potential threats without automatic policy changes
   • respond to changes in user behaviour and confirmed threats with manual policy changes
   Explanation:
   Reference:
   https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/policy/use-dynamic-user-groups-in-policy.html

4. How can an administrator configure the firewall to automatically quarantine a device using GlobalProtect?

   • by adding the device’s Host ID to a quarantine list and configure GlobalProtect to prevent users from connecting to the GlobalProtect gateway from a quarantined device
   • by exporting the list of quarantined devices to a pdf or csv file by selecting PDF/CSV at the bottom of the Device Quarantine page and leveraging the appropriate XSOAR playbook
   • by using security policies, log forwarding profiles, and log settings
   • there is no native auto-quarantine feature so a custom script would need to be leveraged
   Explanation:
   Reference:
   https://docs.paloaltonetworks.com/globalprotect/10-0/globalprotect-admin/host-information/quarantine-devices-using-host-information/automatically-quarantine-a-device

5. To protect your firewall and network from single source denial of service (DoS) attacks that can overwhelm its packet buffer and cause legitimate traffic to drop, you can configure:

   • PBP (Protocol Based Protection)
   • BGP (Border Gateway Protocol)
   • PGP (Packet Gateway Protocol)
   • PBP (Packet Buffer Protection)
   Explanation:
   Reference:
   https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-admin/zone-protection-and-dos-protection/zone-defense/packet-buffer-protection

6. A bootstrap USB flash drive has been prepared using a Windows workstation to load the initial configuration of a Palo Alto Networks firewall that was previously being used in a lab. The USB flash drive was formatted using file system FAT32 and the initial configuration is stored in a file named init-cfg.txt. The firewall is currently running PAN-OS 10.0 and using a lab config. The contents of init-cfg.txt in the USB flash drive are as follows:

   

   The USB flash drive has been inserted in the firewalls’ USB port, and the firewall has been restarted using command: > request restart system

   Upon restart, the firewall fails to begin the bootstrapping process. The failure is caused because:

   • The bootstrap.xml file is a required file, but it is missing
   • Firewall must be in factory default state or have all private data deleted for bootstrapping
   • The hostname is a required parameter, but it is missing in init-cfg.txt
   • PAN-OS version must be 9.1.x at a minimum, but the firewall is running 10.0.x
   • The USB must be formatted using the ext3 file system. FAT32 is not supported
   Explanation:
   Reference:
   https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-admin/firewall-administration/bootstrap-the-firewall/prepare-a-usb-flash-drive-for-bootstrapping-a-firewall.html

7. An Administrator is configuring Authentication Enforcement and they would like to create an exemption rule to exempt a specific group from authentication. Which authentication enforcement object should they select?

   • default-no-captive-portal
   • default-authentication-bypass
   • default-browser-challenge
   • default-web-form
   Explanation:
   Reference:
   https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-web-interface-help/objects/objects-authentication

8. A bootstrap USB flash drive has been prepared using a Linux workstation to load the initial configuration of a Palo Alto Networks firewall. The USB flash drive was formatted using file system ntfs and the initial configuration is stored in a file named init-cfg.txt.

   The contents of init-cfg.txt in the USB flash drive are as follows:

   

   The USB flash drive has been inserted in the firewalls’ USB port, and the firewall has been powered on. Upon boot, the firewall fails to begin the bootstrapping process. The failure is caused because:

   • the bootstrap.xml file is a required file, but it is missing
   • nit-cfg.txt is an incorrect filename, the correct filename should be init-cfg.xml
   • The USB must be formatted using the ext4 file system
   • There must be commas between the parameter names and their values instead of the equal symbols
   • The USB drive has been formatted with an unsupported file system

9. To more easily reuse templates and template stacks, you can create template variables in place of firewall-specific and appliance-specific IP literals in your configurations.

   Which one is the correct configuration?

   • &Panorama
   • @Panorama
   • $Panorama
   • #Panorama
   Explanation:
   Reference:
   https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-new-features/panorama-features/configuration-reusability-for-templates-and-template-stacks.html

10. On the NGFW, how can you generate and block a private key from export and thus harden your security posture and prevent rogue administrators or other bad actors from misusing keys?

    • 1. Select Device > Certificate Management > Certificates > Device > Certificates
      2. Import the certificate
      3. Select Import Private key
      4. Click Generate to generate the new certificate
    • 1. Select Device > Certificates
      2. Select Certificate Profile
      3. Generate the certificate
      4. Select Block Private Key Export
    • 1. Select Device > Certificate Management > Certificates > Device > Certificates
      2. Generate the certificate
      3. Select Block Private Key Export
      4. Click Generate to generate the new certificate
    • 1. Select Device > Certificates
      2. Select Certificate Profile
      3. Generate the certificate
      4. Select Block Private Key Export
    Explanation:
    Reference:
    https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-new-features/decryption-features/block-export-of-private-keys.html

11. What is the maximum number of samples that can be submitted to WildFire manually per day?

    • 1,000
    • 2,000
    • 5,000
    • 15,000
    Explanation:
    Reference:
    https://docs.paloaltonetworks.com/wildfire/9-0/wildfire-admin/submit-files-for-wildfire-analysis/manually-upload-files-to-the-wildfire-portal.html#:~:text=If%20you%20have%20a%20WildFire,also%20includes%20WildFire%20API%20submissions.

12. What file type upload is supported as part of the basic WildFire service?

    • ELF
    • BAT
    • PE
    • VBS
    Explanation:
    Reference:
    https://docs.paloaltonetworks.com/wildfire/9-1/wildfire-admin/wildfire-overview/wildfire-subscription.html#:~:text=With%20the%20basic%20WildFire%20service,available%20every%2024%2D48%20hours.

13. An administrator accidentally closed the commit window/screen before the commit was finished.

    Which two options could the administrator use to verify the progress or success of that commit task? (Choose two.)

    • Task Manager
    • System Logs
    • Traffic Logs
    • Configuration Logs