Palo Alto Networks PCNSE Exam Questions Instant Access

Question 1

Which three methods are supported for split tunneling in the GlobalProtect Gateway? (Choose three.)

ADestination user/group

BURL Category

CDestination Domain

Dvideo streaming application

ESource Domain

FClient Application Process

Answer : C, D, E

Question 2

Which action does a firewall take when a decryption profile allows unsupported modes and unsupported traffic with TLS 1.2 protocol traverses the firewall?

AIt downgrades the protocol to ensure compatibility.

BIt generates a decryption error message but allows the traffic to continue decryption.

CIt blocks all communication with the server indefinitely.

DIt automatically adds the server to the SSL decryption exclusion list.

Answer : D

Question 3

A standalone firewall with local objects and policies needs to be migrated into Panoram

a. What procedure should you use so Panorama is fully managing the firewall?

AUse the 'import device configuration to Panorama' operation, commit to Panorama, then 'export or push device config bundle' to push the configuration.

BUse the 'import Panorama configuration snapshot' operation, commit to Panorama, then 'export or push device config bundle' to push the configuration.

CUse the 'import device configuration to Panorama' operation, commit to Panorama, then perform a device-group commit push with 'include device and network templates'.

DUse the 'import Panorama configuration snapshot' operation, commit to Panorama, then perform a device-group commit push with 'include device and network templates'.

Answer : C

Question 4

Based on the images below, and with no configuration inside the Template Stack itself, what access will the device permit on its management port?

AThe firewall will allow HTTP, Telnet, SNMP, HTTPS, SSH, and Ping from IP addresses defined as $permitted-subnet.1 and $permitted-subnet-2.

BThe firewall will allow HTTP, Telnet, HTTPS, SSH, and Ping from IP addresses defined as $permitted-subnet-2.

CThe firewall will allow HTTP, Telnet, HTTPS, SSH, and Ping from IP addresses defined as $permitted-subnet-1 and $permitted-subnet-2.

DThe firewall will allow HTTP, Telnet, HTTPS, SSH, and Ping from IP addresses defined as $permitted-subnet-1.

Answer : D

Question 5

How can a firewall be set up to automatically block users as soon as they are found to exhibit malicious behavior via a threat log?

AConfigure a dynamic address group for the addresses to be blocked with the tag 'malicious.' Add a Log Forwarding profile to the other policies, which adds the 'malicious' tag to these addresses when logs are generated in the threat log. Under Device > User Identification > Trusted Source Address, add the condition 'NOT malicious.'

BConfigure a dynamic user group for the users to be blocked with the tag 'malicious.' Add a Log Forwarding profile to the other policies, which adds the 'malicious' tag to these users when logs are generated in the threat log. Create policies to block traffic from this user group.

CConfigure the appropriate security profiles for Antivirus, Anti-Spyware, and Vulnerability Prevention, create signature policies for the relevant signatures and/or severities. Under the 'Actions' tab in 'Signature Policies,' select 'block-user.'

DN/A

Answer : B

To block users dynamically based on threat log activity, dynamic user groups (DUGs) with tagging provide an automated solution. Option B configures a DUG with a 'malicious' tag, a Log Forwarding profile to tag users in the threat log (e.g., via threat intelligence), and a Security policy to block the tagged group. This leverages User-ID and is ideal for user-based blocking.

Option A uses dynamic address groups (DAGs), which block IPs, not users. Option C (security profiles) can block traffic but not dynamically tag/block users without additional configuration. Documentation supports DUGs for this use case.

Question 6

Which type of policy in Palo Alto Networks firewalls can use Device-ID as a match condition?

ANAT

BDOS protection

CQoS

DTunnel inspection

Answer : C

The type of policy in Palo Alto Networks firewalls that can use Device-ID as a match condition is QoS. This is because Device-ID is a feature that allows the firewall to identify and classify devices on the network based on their characteristics, such as vendor, model, OS, and role1. QoS policies are used to allocate bandwidth and prioritize traffic based on various criteria, such as application, user, source, destination, and device2. By using Device-ID as a match condition in QoS policies, the firewall can apply different QoS actions to different types of devices, such as IoT devices, laptops, smartphones, etc3. This can help optimize the network performance and ensure the quality of service for critical applications and devices.

Question 7

An administrator would like to determine which action the firewall will take for a specific CVE. Given the screenshot below, where should the administrator navigate to view this information?

AThe profile rule action

BCVE column

CExceptions lab

DThe profile rule threat name

Answer : C

The Exceptions settings allows you to change the response to a specific signature. For example, you can block all packets that match a signature, except for the selected one, which generates an alert. The Exception tab supports filtering functions.

If you not believed, then login the firewall go to Vulnerability > Exceptions and select 'Show all signatures'. From there you will see all threat information including specific actions.

More detail: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Cm4yCAC

Palo Alto Networks Certified Security Engineer PAN-OS 11.0 PCNSE Exam Questions