Palo Alto Networks PCNSC Exam Practice Test Instant Access

Question 1

A customer who has a multi-tenant environment needs the administrator to be restricted lo specific objects and policies in the virtual system within its tenant How can an administrators access be restricted?

ADefine access domains for virtual systems in the environment

BDefine an Admin Role Profile with Panorama enabling all access

CDefine an access domain that enables the device groups assigned to the admin

DDefine an Admin Role Profile with a device group and template enabling all access

Answer : A

To restrict an administrator's access to specific objects and policies in the virtual system within a multi-tenant environment, you should:

A . Define access domains for virtual systems in the environment

Access domains allow you to control administrator access to specific virtual systems, device groups, and templates. By defining access domains, you can restrict the administrator's permissions to only the relevant sections of the configuration, ensuring they can manage only the objects and policies within their assigned virtual systems.

Palo Alto Networks - Admin Role Profiles and Access Domains: https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/administering-pan-os/admin-role-profiles-and-access-domains

Palo Alto Networks - Multi-Tenancy in Virtual Systems: https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/firewall-administration/multi-tenancy

Question 2

Which three steps must an administrator perform to load only address objects from a PAN-OS saved configuration file into a VM-3C0 firewall that is in production? (Choose three)

Ause the device configuration import in Panorama

BImport named configuration snapshot through the web interface

Cload the config in the web interface and commit

Denter the configuration mode from the CLI

Euse load config partial command

Answer : C, D, E

To load only address objects from a PAN-OS saved configuration file into a VM-300 firewall that is in production, the administrator must follow these three steps:

C . Enter the configuration mode from the CLI: This step is necessary to prepare the firewall to accept the new configuration.

D . Use the load config partial command: This command allows the administrator to load only specific parts of the configuration, such as address objects, from a saved configuration file without overwriting the entire configuration. The command syntax typically looks like this: load config partial from <source-configuration> mode merge exclude everything but address objects.

E . Import named configuration snapshot through the web interface: This involves importing the configuration snapshot that contains the address objects through the web interface, but only after ensuring that the specific address objects are targeted and not the entire configuration.

Palo Alto Networks - PAN-OS CLI Quick Start: https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-cli-quick-start

Palo Alto Networks - How to Use the Partial Configuration Load Feature: https://knowledgebase.paloaltonetworks.com

Question 3

In preparation for a cutover event, what two processes or procedures should be verified? (Choose two)

Aauditing

Bchange management requirements

Croles and responsibilities

Dlogging and reporting

Answer : B, C

For any cutover event, especially when dealing with network security infrastructure like Palo Alto Networks firewalls, it is critical to ensure that:

Change Management Requirements (B): This involves verifying that all planned changes have been approved, documented, and communicated to all relevant stakeholders. The change management process ensures that any modifications are controlled, predictable, and include a rollback plan in case of issues. Reference: Palo Alto Networks Best Practices for Change Management Documentation.

Roles and Responsibilities (C): Clearly defined roles and responsibilities ensure that everyone involved knows their specific tasks during the cutover. This reduces confusion, ensures accountability, and helps in the smooth execution of the cutover plan. It includes defining who is responsible for specific tasks, who needs to be notified, and who has the authority to make decisions. Reference: Palo Alto Networks Operational Best Practices Documentation.

Question 4

Your customer has asked you to set up tunnel monitoring on an IPsec VPN tunnel between two offices What three steps are needed to set up tunnel monitoring? (Choose three)

ACreate a monitoring profile

BAdd an IP address to each tunnel interface

CRestart each IPsec tunnel

DRestart each IKE gateway

EEnable tunnel monitoring on each IPsec tunnel

Answer : A, B, E

To set up tunnel monitoring on an IPsec VPN tunnel between two offices, the following steps are needed:

A . Create a monitoring profile: This profile defines the criteria for monitoring, such as the IP address to ping and the failure condition.

B . Add an IP address to each tunnel interface: Tunnel monitoring requires an IP address on each tunnel interface to send and receive monitoring pings.

E . Enable tunnel monitoring on each IPsec tunnel: This step activates the monitoring profile on the IPsec tunnel, ensuring that the tunnel is actively monitored and can trigger alerts or failover mechanisms if the tunnel goes down.

These steps ensure that the tunnel is properly monitored, allowing for proactive detection and response to connectivity issues.

Palo Alto Networks - Configuring IPsec Tunnel Monitoring: https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/vpns/site-to-site-vpn/configure-ipsec-tunnel-monitoring

Question 5

You are hosting a public-facing web server on your DMZ and access to that server is through a Palo Alto Networks firewall Both internal clients and internet clients access this web server using the FQDN public webserver acme com which resolves to the public address of 99.99 99.2

Which combination of NAT policies is necessary to enable access to the web server for both internal and internet clients?

AOption A

BOption B

COption C

DOption D

Answer : C

To enable access to a public-facing web server for both internal and internet clients using the FQDN public.webserver.acme.com, which resolves to the public address 99.99.99.2, the necessary combination of NAT policies is:

C . Option C

Policy 11: DMZ to Untrust

Source Zone: DMZ

Destination Zone: Untrust

Destination Address: Web_Server_Public_99.99.99.2

Destination Translation: address: Web_Server_Private_172.16.1.2

Policy 12: Untrust to Untrust

Source Zone: Untrust

Destination Zone: Untrust

Destination Address: Web_Server_Public_99.99.99.2

Destination Translation: address: Web_Server_Private_172.16.1.2

These policies ensure that traffic destined for the public IP address 99.99.99.2 from both the DMZ and Untrust zones is properly translated to the internal web server's private IP address 172.16.1.2.

Palo Alto Networks - NAT Configuration: https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/networking/nat/nat-policy-rules

Question 6

In Panorama, what is the correct order of precedence for security policies?

ADevice group pre-rules, shared pre-rules, local rules, device group post-rules, shared post-rules

BShared pre-rules, device group pre-rules, local rules, shared post-rules, device group post-rules

CShared pre-rules, device group pre-rules, local rules, device group post-rules, shared post-rules

DDevice group pre-rules, shared pre-rules, local rules, shared post-rules, device group post-rules

Answer : C

Question 7

In a multi-tenant environment, what feature allows you to assign different administrators to different tenants?

AAdmin Roles

BDevice Groups

CAccess Domains

DVirtual Systems

Answer : C

Palo Alto Networks Certified Network Security Consultant PCNSC Exam Practice Test