Palo Alto Networks PCNSE Exam Questions Instant Access

Question 1

Exhibit.

Review the screenshots and consider the following information

1. FW-1is assigned to the FW-1_DG device group, and FW-2 is assigned to OFFICE_FW_DC

2. There are no objects configured in REGIONAL_DG and OFFICE_FW_DG device groups

Which IP address will be pushed to the firewalls inside Address Object Server-1?

AServer-1 on FW-1 will have IP 4.4.4.4. Server-1 on FW-2 will have IP 1.1.1.1

BServer-1 on FW-1 will have IR 111.1. Server-1 will not be pushed to FW-2.

CServer-1 on FW-1 will have IP 2.2.2.2. Server-1 will not be pushed to FW-2.

DServer-1 on FW-1 will have IP 3.3.3.3. Server-1 will not be pushed to FW-2.

Answer : A

Device Group Hierarchy

Shared

DATACENTER_DG

DC_FW_DG

REGIONAL_DG

OFFICE_FW_DG

FW-1_DG

Analysis

Considerations:

FW-1 is assigned to the FW-1_DG device group.

FW-2 is assigned to the OFFICE_FW_DG device group.

There are no objects configured in REGIONAL_DG and OFFICE_FW_DG device groups.

The address object Server-1 appears in multiple device groups with different IP addresses. The device groups have a hierarchy, which means objects can be inherited from parent groups unless overridden in the child group.

FW-1_DG:

Server-1 has IP 4.4.4.4, which will be pushed to FW-1 because it is in the FW-1_DG device group.

OFFICE_FW_DG (for FW-2):

Since there are no objects in OFFICE_FW_DG and REGIONAL_DG, FW-2 will inherit from Shared.

In the Shared group, Server-1 has IP 1.1.1.1.

Question 2

In the following image from Panorama, why are some values shown in red?

Asg2 session count is the lowest compared to the other managed devices.

Bus3 has a logging rate that deviates from the administrator-configured thresholds.

Cuk3 has a logging rate that deviates from the seven-day calculated baseline.

Dsg2 has misconfigured session thresholds.

Answer : C

Question 3

What must be configured to apply tags automatically based on User-ID logs?

ADevice ID

BLog Forwarding profile

CGroup mapping

DLog settings

Answer : D

To apply tags automatically based on User-ID logs, the engineer must configure a Log Forwarding profile that specifies the criteria for matching the logs and the tags to apply. The Log Forwarding profile can be attached to a security policy rule or a decryption policy rule to enable auto-tagging for the traffic that matches the rule.The tags can then be used for dynamic address groups, policy enforcement, or reporting1.Reference:Use Auto-Tagging to Automate Security Actions, PCNSE Study Guide (page 49)

Question 4

A firewall administrator has been tasked with ensuring that all Panorama configuration is committed and pushed to the devices at the end of the day at a certain time. How can they achieve this?

AUse the Scheduled Config Push to schedule Commit to Panorama and also Push to Devices.

BUse the Scheduled Config Push to schedule Push to Devices and separately schedule an API call to commit all Panorama changes.

CUse the Scheduled Config Export to schedule Push to Devices and separately schedule an API call to commit all Panorama changes

DUse the Scheduled Config Export to schedule Commit to Panorama and also Push to Devices

Answer : A

Question 5

The UDP-4501 protocol-port is to between which two GlobalProtect components?

AGlobalProtect app and GiobalProtect satellite

BGlobalRrotect app and GlobalProtect gateway

CGlobalProtect portal and GlobalProtect gateway

DGlobalProtect app and GlobalProtect portal

Answer : B

Question 6

An engineer needs to permit XML API access to a firewall for automation on a network segment that is routed through a Layer 3 sub-interface on a Palo Alto Networks firewall. However, this network segment cannot access the dedicated management interface due to the Security policy.

Without changing the existing access to the management interface, how can the engineer fulfill this request?

ASpecify the subinterface as a management interface in Setup > Device > Interfaces.

BAdd the network segment's IP range to the Permitted IP Addresses list.

CEnable HTTPS in an Interface Management profile on the subinterface.

DConfigure a service route for HTTP to use the subinterface.

Answer : C

To enable XML API access to a firewall for automation from a network segment routed through a Layer 3 sub-interface, the most straightforward approach is to use an Interface Management profile.

C . This can be achieved by:

Configuring an Interface Management profile and enabling HTTPS access on it. This profile defines management services that are permitted on the interface, including HTTPS, which is required for XML API access.

Applying this Interface Management profile to the desired Layer 3 sub-interface. This action enables HTTPS access (and thus XML API access) on the sub-interface, allowing devices on the connected network segment to communicate with the firewall for automation purposes.

This solution allows for the secure extension of management capabilities to network segments without direct access to the dedicated management interface, facilitating automation and operational efficiency without necessitating changes to existing access configurations.

Question 7

Which two actions would be part of an automatic solution that would block sites with untrusted certificates without enabling SSL Forward Proxy? (Choose two.)

ACreate a no-decrypt Decryption Policy rule.

BConfigure an EDL to pull IP addresses of known sites resolved from a CRL.

CCreate a Dynamic Address Group for untrusted sites

DCreate a Security Policy rule with vulnerability Security Profile attached.

EEnable the ''Block sessions with untrusted issuers'' setting.

Answer : A, D

Palo Alto Networks Certified Security Engineer PAN-OS 11.0 PCNSE Exam Questions