PCNSE Flashcards

1
Q
Which CLI command is used to simulate traffic going through the firewall and determine which Security policy rule, NAT translation, static route, or PBF rule will be triggered by the traffic?
•	A. check 
•	B. find 
•	C. test 
•	D. Sim
A

C. test

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

A customer wants to set up a VLAN interface for a Layer 2 Ethernet port.
Which two mandatory options are used to configure a VLAN interface? (Choose two.)
• A. Virtual router
• B. Security zone
• C. ARP entries
• D. Netflow Profile

A

A. Virtual Router

B. Security Zone

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

An administrator has been asked to configure a Palo Alto Networks NGFW to provide protection against worms and trojans.
Which Security Profile type will protect against worms and trojans?
• A. Anti-Spyware
• B. Instruction Prevention
• C. File Blocking
• D. Antivirus

A

D. Antivirus

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

A company needs to preconfigure firewalls to be sent to remote sites with the least amount of reconfiguration. Once deployed, each firewall must establish secure tunnels back to multiple regional data centers to include the future regional data centers.
Which VPN configuration would adapt to changes when deployed to the future site?
• A. Preconfigured GlobalProtect satellite
• B. Preconfigured GlobalProtect client
• C. Preconfigured IPsec tunnels
• D. Preconfigured PPTP Tunnels

A

A. Preconfigured GlobalProtect satellite

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

An administrator has been asked to configure active/passive HA for a pair of Palo Alto Networks NGFWs. The administrator assigns priority 100 to the active firewall.
Which priority is correct for the passive firewall?
• A. 0
• B. 99
• C. 1
• D. 255

A

D. 255

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

An administrator pushes a new configuration from Panorama to a pair of firewalls that are configured as an active/passive HA pair.
Which NGFW receives the configuration from Panorama?
• A. The Passive firewall, which then synchronizes to the active firewall
• B. The active firewall, which then synchronizes to the passive firewall
• C. Both the active and passive firewalls, which then synchronize with each other
• D. Both the active and passive firewalls independently, with no synchronization afterward

A

D. Both the active and passive firewalls independently, with no synchronization afterward

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

When configuring a GlobalProtect Portal, what is the purpose of specifying an Authentication Profile?
• A. To enable Gateway authentication to the Portal
• B. To enable Portal authentication to the Gateway
• C. To enable user authentication to the Portal
• D. To enable client machine authentication to the Portal

A

C. To enable user authentication to the Portal

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

If a template stack is assigned to a device and the stack includes three templates with overlapping settings, which settings are published to the device when the template stack is pushed?
• A. The settings assigned to the template that is on top of the stack.
• B. The administrator will be promoted to choose the settings for that chosen firewall.
• C. All the settings configured in all templates.
• D. Depending on the firewall location, Panorama decides with settings to send.

A

A. The settings assigned to the template that is on top of the stack.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Which method will dynamically register tags on the Palo Alto Networks NGFW?
• A. Restful API or the VMWare API on the firewall or on the User-ID agent or the read-only domain controller (RODC)
• B. Restful API or the VMware API on the firewall or on the User-ID agent
• C. XML-API or the VMware API on the firewall or on the User-ID agent or the CLI
• D. XML API or the VM Monitoring agent on the NGFW or on the User-ID agent

A

D. XML API or the VM Monitoring agent on the NGFW or on the User-ID agent

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

How does an administrator schedule an Applications and Threats dynamic update while delaying installation of the update for a certain amount of time?
• A. Configure the option for “Threshold”.
• B. Disable automatic updates during weekdays.
• C. Automatically “download only” and then install Applications and Threats later, after the administrator approves the update.
• D. Automatically “download and install” but with the “disable new applications” option used.

A

A. Configure the option for “Threshold”.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

To connect the Palo Alto Networks firewall to AutoFocus, which setting must be enabled?
• A. Device>Setup>Services>AutoFocus
• B. Device> Setup>Management >AutoFocus
• C. AutoFocus is enabled by default on the Palo Alto Networks NGFW
• D. Device>Setup>WildFire>AutoFocus
• E. Device>Setup> Management> Logging and Reporting Settings

A

B. Device> Setup>Management >AutoFocus

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

An administrator encountered problems with inbound decryption. Which option should the administrator investigate as part of triage?
• A. Security policy rule allowing SSL to the target server
• B. Firewall connectivity to a CRL
• C. Root certificate imported into the firewall with “Trust” enabled
• D. Importation of a certificate from an HSM

A

A. Security policy rule allowing SSL to the target server

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Which two virtualization platforms officially support the deployment of Palo Alto Networks VM-Series firewalls? (Choose two.)
• A. Red Hat Enterprise Virtualization (RHEV)
• B. Kernel Virtualization Module (KVM)
• C. Boot Strap Virtualization Module (BSVM)
• D. Microsoft Hyper-V

A

B. Kernel Virtualization Module (KVM)

D. Microsoft Hyper-V

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q
Which User-ID method maps IP addresses to usernames for users connecting through an 802.1x-enabled wireless network device that has no native integration with PAN-OS software?
•	A. XML API
•	B. Port Mapping
•	C. Client Probing
•	D. Server Monitoring
A

A. XML API

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q
Decrypted packets from the website https://www.microsoft.com will appear as which application and service within the Traffic log?
•	A. web-browsing and 443
•	B. SSL and 80
•	C. SSL and 443
•	D. web-browsing and 80
A

A. web-browsing and 443

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q
Which PAN-OS policy must you configure to force a user to provide additional credentials before he is allowed to access an internal application that contains highly-sensitive business data?
•	A. Security policy
•	B. Decryption policy
•	C. Authentication policy
•	D. Application Override policy
A

C. Authentication policy

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

A Security policy rule is configured with a Vulnerability Protection Profile and an action of ‘Deny”.
Which action will this cause configuration on the matched traffic?
• A. The configuration is invalid. The Profile Settings section will be grayed out when the Action is set to “Deny”.
• B. The configuration will allow the matched session unless a vulnerability signature is detected. The “Deny” action will supersede the per-severity defined actions defined in the associated Vulnerability Protection Profile.
• C. The configuration is invalid. It will cause the firewall to skip this Security policy rule. A warning will be displayed during a commit.
• D. The configuration is valid. It will cause the firewall to deny the matched sessions. Any configured Security Profiles have no effect if the Security policy rule

A

B. The configuration will allow the matched session unless a vulnerability signature is detected. The “Deny” action will supersede the per-severity defined actions defined in the associated Vulnerability Protection Profile.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

A users traffic traversing a Palo Alto Networks NGFW sometimes can reach http://www.company.com. At other times the session times out. The NGFW has been configured with a PBF rule that the users traffic matches when it goes to http://www.company.com.
How can the firewall be configured automatically disable the PBF rule if the next hop goes down?
• A. Create and add a Monitor Profile with an action of Wait Recover in the PBF rule in question.
• B. Create and add a Monitor Profile with an action of Fail Over in the PBF rule in question.
• C. Enable and configure a Link Monitoring Profile for the external interface of the firewall.
• D. Configure path monitoring for the next hop gateway on the default route in the virtual router.

A

B. Create and add a Monitor Profile with an action of Fail Over in the PBF rule in question.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

What are two benefits of nested device groups in Panorama? (Choose two.)
• A. Reuse of the existing Security policy rules and objects
• B. Requires configuring both function and location for every device
• C. All device groups inherit settings form the Shared group
• D. Overwrites local firewall configuration

A

A. Reuse of the existing Security policy rules and objects

C. All device groups inherit settings form the Shared group

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q
Which Captive Portal mode must be configured to support MFA authentication?
•	A. NTLM
•	B. Redirect
•	C. Single Sign-On
•	D. Transparent
A

B. Redirect

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

. An administrator needs to implement an NGFW between their DMZ and Core network. EIGRP Routing between the two environments is required. Which interface type would support this business requirement?

  • A. Virtual Wire interfaces to permit EIGRP routing to remain between the Core and DMZ
  • B. Layer 3 or Aggregate Ethernet interfaces, but configuring EIGRP on subinterfaces only
  • C. Tunnel interfaces to terminate EIGRP routing on an IPsec tunnel (with the GlobalProtect License to support LSVPN and EIGRP protocols)
  • D. Layer 3 interfaces, but configuring EIGRP on the attached virtual router
A

A. Virtual Wire interfaces to permit EIGRP routing to remain between the Core and DMZ

22
Q

A speed/duplex negotiation mismatch is between the Palo Alto Networks management port and the switch port which it connects.
How would an administrator configure the interface to 1Gbps?
• A. set deviceconfig interface speed-duplex 1Gbps-full-duplex
• B. set deviceconfig system speed-duplex 1Gbps-duplex
• C. set deviceconfig system speed-duplex 1Gbps-full-duplex
• D. set deviceconfig Interface speed-duplex 1Gbps-half-duplex

A

C. set deviceconfig system speed-duplex 1Gbps-full-duplex

23
Q

A web server is hosted in the DMZ, and the server is configured to listen for incoming connections only on TCP port 8080. A Security policy rule allowing access from the Trust zone to the DMZ zone need to be configured to enable we browsing access to the server.
Which application and service need to be configured to allow only cleartext web-browsing traffic to thins server on tcp/8080.
• A. application: web-browsing; service: application-default
• B. application: web-browsing; service: service-https
• C. application: ssl; service: any
• D. application: web-browsing; service: (custom with destination TCP port 8080)

A

D. application: web-browsing; service: (custom with destination TCP port 8080)

24
Q
A global corporate office has a large-scale network with only one User-ID agent, which creates a bottleneck near the User-ID agent server. Which solution in PAN-OS software would help in this case?
•	A. Application override
•	B. Redistribution of user mappings
•	C. Virtual Wire mode
•	D. Content inspection
A

B. Redistribution of user mappings

25
Q
Which method does an administrator use to integrate all non-native MFA platforms in PAN-OS® software?
•	A. Okta
•	B. DUO
•	C. RADIUS
•	D. PingID
A

C. RADIUS

26
Q

How would an administrator monitor/capture traffic on the management interface of the Palo Alto Networks NGFW?
• A. Use the debug dataplane packet-diag set capture stage firewall file command.
• B. Enable all four stages of traffic capture (TX, RX, DROP, Firewall).
• C. Use the debug dataplane packet-diag set capture stage management file command.
• D. Use the tcpdump command.

A

D. Use the tcpdump command.

27
Q

An administrator needs to optimize traffic to prefer business-critical applications over non-critical applications.
QoS natively integrates with which feature to provide service quality?
• A. Port Inspection
• B. Certificate revocation
• C. Content-ID
• D. App-ID

A

D. App-ID

28
Q

A session in the Traffic log is reporting the application as “incomplete.”
What does “incomplete” mean?
• A. The three-way TCP handshake was observed, but the application could not be identified.
• B. The three-way TCP handshake did not complete.
• C. The traffic is coming across UDP, and the application could not be identified.
• D. Data was received but was instantly discarded because of a Deny policy was applied before App-ID could be applied.

A

A. The three-way TCP handshake was observed, but the application could not be identified.

29
Q
34. Which three settings are defined within the Templates object of Panorama? (Choose three.)
•	A. Setup
•	B. Virtual Routers
•	C. Interfaces
•	D. Security
•	E. Application Override
A

A. Setup
B. Virtual Routers
C. Interfaces

30
Q

A customer has an application that is being identified as unknown-top for one of their custom PostgreSQL database connections. Which two configuration options can be used to correctly categorize their custom database application? (Choose two.)
• A. Application Override policy.
• B. Security policy to identify the custom application.
• C. Custom application.
• D. Custom Service object.

A

A. Application Override policy.

C. Custom application.

31
Q
An administrator logs in to the Palo Alto Networks NGFW and reports that the WebUI is missing the Policies tab. Which profile is the cause of the missing Policies tab?
•	A. Admin Role
•	B. WebUI
•	C. Authentication
•	D. Authorization
A

A. Admin Role

32
Q
An administrator has left a firewall to use the default port for all management services. Which three functions are performed by the dataplane? (Choose three.)
•	A. WildFire updates
•	B. NAT
•	C. NTP
•	D. antivirus
•	E. File blocking
A

B. NAT
D. antivirus
E. File blocking

33
Q

. An administrator is using Panorama and multiple Palo Alto Networks NGFWs. After upgrading all devices to the latest PAN-OS software, the administrator enables log forwarding from the firewalls to Panorama. Pre-existing logs from the firewalls are not appearing in Panorama.
Which action would enable the firewalls to send their pre-existing logs to Panorama?
• A. Use the import option to pull logs into Panorama.
• B. A CLI command will forward the pre-existing logs to Panorama.
• C. Use the ACC to consolidate pre-existing logs.
• D. The log database will need to exported form the firewalls and manually imported into Panorama.

A

B. A CLI command will forward the pre-existing logs to Panorama.

34
Q

A Palo Alto Networks NGFW just submitted a file to WildFire for analysis. Assume a 5-minute window for analysis. The firewall is configured to check for verdicts every 5 minutes.
How quickly will the firewall receive back a verdict?
• A. More than 15 minutes
• B. 5 minutes
• C. 10 to 15 minutes
• D. 5 to 10 minutes

A

D. 5 to 10 minutes

35
Q
VPN traffic intended for an administrators Palo Alto Networks NGFW is being maliciously intercepted and retransmitted by the interceptor. When creating a VPN tunnel, which protection profile can be enabled to prevent this malicious behavior?
•	A. Zone Protection
•	B. DoS Protection
•	C. Web Application
•	D. Replay
A

A. Zone Protection

36
Q
Which Palo Alto Networks VM-Series firewall is valid?
•	A. VM-25
•	B. VM-800
•	C. VM-50
•	D. VM-400
A

C. VM-50

37
Q

An administrator creates a custom application containing Layer 7 signatures. The latest application and threat dynamic update is downloaded to the same NGFW.
The update contains an application that matches the same traffic signatures as the custom application.
Which application should be used to identify traffic traversing the NGFW?
• A. Custom application
• B. System logs show an application error and neither signature is used.
• C. Downloaded application
• D. Custom and downloaded application signature files are merged and both are used

A

A. Custom application

38
Q
Which three file types can be forwarded to WildFire for analysis as a part of the basic WildFire service? (Choose three.) 
•	A. .dll
•	B. .exe
•	C. .src
•	D. .apk
•	E. .pdf
•	F. .jar
A

A. .dll
B. .exe
C. .src

39
Q
Which three authentication services can administrator use to authenticate admins into the Palo Alto Networks NGFW without defining a corresponding admin account on the local firewall? (Choose three.)
•	A. Kerberos
•	B. PAP
•	C. SAML
•	D. TACACS+
•	E. RADIUS
•	F. LDAP
A

C. SAML
D. TACACS+
E. RADIUS

40
Q

Which event will happen if an administrator uses an Application Override Policy?
• A. Threat-ID processing time is decreased.
• B. The Palo Alto Networks NGFW stops App-ID processing at Layer 4.
• C. The application name assigned to the traffic by the security rule is written to the Traffic log.
• D. App-ID processing time is increased.

A

B. The Palo Alto Networks NGFW stops App-ID processing at Layer 4.

41
Q

Which Security policy rule will allow an admin to block facebook chat but allow Facebook in general?
• A. Deny application facebook-chat before allowing application facebook
• B. Deny application facebook on top
• C. Allow application facebook on top
• D. Allow application facebook before denying application facebook-chat

A

A. Deny application facebook-chat before allowing application facebook

42
Q

A client is concerned about resource exhaustion because of denial-of-service attacks against their DNS servers.
Which option will protect the individual servers?
• A. Enable packet buffer protection on the Zone Protection Profile.
• B. Apply an Anti-Spyware Profile with DNS sinkholing.
• C. Use the DNS App-ID with application-default.
• D. Apply a classified DoS Protection Profile.

A

D. Apply a classified DoS Protection Profile.

43
Q

If the firewall is configured for credential phishing prevention using the “Domain Credential Filter” method, which login will be detected as credential theft?
• A. Mapping to the IP address of the logged-in user.
• B. First four letters of the username matching any valid corporate username.
• C. Using the same user’s corporate username and password.
• D. Marching any valid corporate username

A

A. Mapping to the IP address of the logged-in user.

44
Q
An administrator has users accessing network resources through Citrix XenApp 7 x. Which User-ID mapping solution will map multiple users who are using Citrix to connect to the network and access resources?
•	A. Client Probing
•	B. Terminal Services agent
•	C. GlobalProtect
•	D. Syslog Monitoring
A

B. Terminal Services agent

45
Q

An administrator needs to upgrade a Palo Alto Networks NGFW to the most current version of PAN-OS software. The firewall has internet connectivity through an Ethernet interface, but no internet connectivity from the management interface. The Security policy has the default security rules and a rule that allows all web- browsing traffic from any to any zone.
What must the administrator configure so that the PAN-OS software can be upgraded?
• A. Security policy rule
• B. CRL
• C. Service route
• D. Scheduler

A

C. Service route

46
Q
Which feature prevents the submission of corporate login information into website forms?
•	A. Data filtering
•	B. User-ID
•	C. File blocking
•	D. Credential phishing prevention
A

D. Credential phishing prevention

47
Q
Which option is part of the content inspection process?
•	A. Packet forwarding process
•	B. SSL Proxy re-encrypt
•	C. IPsec tunnel encryption
•	D. Packet egress process
A

B. SSL Proxy re-encrypt

48
Q
In a virtual router, which object contains all potential routes?
•	A. MIB
•	B. RIB
•	C. SIP
•	D. FIB
A

B. RIB

49
Q

An administrator creates an SSL decryption rule decrypting traffic on all ports. The administrator also creates a Security policy rule allowing only the applications DNS, SSL, and web-browsing.
The administrator generates three encrypted BitTorrent connections and checks the Traffic logs. There are three entries. The first entry shows traffic dropped as application Unknown. The next two entries show traffic allowed as application SSL.
Which action will stop the second and subsequent encrypted BitTorrent connections from being allowed as SSL?
• A. Create a decryption rule matching the encrypted BitTorrent traffic with action “No-Decrypt,” and place the rule at the top of the Decryption policy.
• B. Create a Security policy rule that matches application “encrypted BitTorrent” and place the rule at the top of the Security policy.
• C. Disable the exclude cache option for the firewall.
• D. Create a Decryption Profile to block traffic using unsupported cyphers, and attach the profile to the decryption rule.

A

D. Create a Decryption Profile to block traffic using unsupported cyphers, and attach the profile to the decryption rule.

50
Q

Which option would an administrator choose to define the certificate and protocol that Panorama and its managed devices use for SSL/TLS services?
• A. Configure a Decryption Profile and select SSL/TLS services.
• B. Set up SSL/TLS under Polices > Service/URL Category>Service.
• C. Set up Security policy rule to allow SSL communication.
• D. Configure an SSL/TLS Profile.

A

D. Configure an SSL/TLS Profile.