PCNSE Online Practice Questions and Answers

An administrator notices that an interlace configuration has been overridden locally on a firewall. They require an configuration to be managed from Panorama and overrides are not allowed. What is one way the administrator can meet this requirement?

A. Perform a device-group commit push from Panorama using the "Include Device and Network Templates" option.

B. Reload the running configuration and perform a Firewall local commit.

C. Perform a template commit push from Panorama using the "Force Template Values'' option

D. Perform a commit force from the CLI of the firewall.

When you configure a Layer 3 interface what is one mandatory step?

A. Configure Security profiles, which need to be attached to each Layer 3 interface

B. Configure Interface Management profiles which need to be attached to each Layer 3 interface

C. Configure virtual routers to route the traffic for each Layer 3 interface

D. Configure service routes to route the traffic for each Layer 3 interface

Which option would an administrator choose to define the certificate and protocol that Panorama and its managed devices use for SSL/TLS services?

A. Configure a Decryption Profile and select SSL/TLS services.

B. Set up SSL/TLS under Polices > Service/URL Category>Service.

C. Set up Security policy rule to allow SSL communication.

D. Configure an SSL/TLS Profile.

For which two reasons would a firewall discard a packet as part of the packet flow sequence? (Choose two )

A. equal-cost multipath

B. ingress processing errors

C. rule match with action "allow"

D. rule match with action "deny"

Which two features does PAN-OS software use to identify applications? (Choose two)

A. port number

B. session number

C. transaction characteristics

D. application layer payload

An administrator wants a new Palo Alto Networks NGFW to obtain automatic application updates daily, so it is configured to use a scheduler for the application database. Unfortunately, they required the management network to be isolated so that it cannot reach the internet. Which configuration will enable the firewall to download and install application updates automatically?

A. Configure a Policy Based Forwarding policy rule for the update server IP address so that traffic sourced from themanagement interfaced destined for the update servers goes out of the interface acting as your internet connection.

B. Configure a security policy rule to allow all traffic to and from the update servers.

C. Download and install application updates cannot be done automatically if the MGT port cannot reach the internet.

D. Configure a service route for Palo Alto networks services that uses a dataplane interface that can route traffic to the internet, and create a security policy rule to allow the traffic from that interface to the update servers if necessary.

Which URL Filtering Security Profile action logs the URL Filtering category to the URL Filtering log?

A. Log

B. Alert

C. Allow

D. Default

An engineer is tasked with configuring SSL forward proxy for traffic going to external sites. Which of the following statements is consistent with SSL decryption best practices?

A. The forward trust certificate should not be stored on an HSM.

B. The forward untrust certificate should be signed by a certificate authority that is trusted by the clients.

C. Check both the Forward Trust and Forward Untrust boxes when adding a certificate for use with SSL decryption

D. The forward untrust certificate should not be signed by a Trusted Root CA

An engineer is creating a template and wants to use variables to standardize the configuration across a large number of devices. Which Mo variable types can be defined? (Choose two.)

A. Path group

B. Zone

C. IP netmask

D. FQDN

An engineer is configuring a firewall with three interfaces:

1.

MGT connects to a switch with internet access.

2.

Ethernet1/1 connects to an edge router.

3.

Ethernet1/2 connects to a visualization network.

The engineer needs to configure dynamic updates to use a dataplane interface for internet traffic. What should be configured in Setup > Services > Service Route Configuration to allow this traffic?

A. Set DNS and Palo Alto Networks Services to use the ethernet1/1 source interface.

B. Set DNS and Palo Alto Networks Services to use the ethernet1/2 source interface.

C. Set DNS and Palo Alto Networks Services to use the MGT source interface.

D. Set DDNS and Palo Alto Networks Services to use the MGT source interface.