Palo Alto Networks PCNSE Exam Practice Test Instant Access

Question 1

A company wants to implement threat prevention to take action without redesigning the network routing.

What are two best practice deployment modes for the firewall? (Choose two.)

ATAP

BLayer 2

CLayer 3

DVirtual Wire

Answer : B, D

Question 2

A network security engineer needs to enable Zone Protection in an environment that makes use of Cisco TrustSec Layer 2 protections

What should the engineer configure within a Zone Protection profile to ensure that the TrustSec packets are identified and actions are taken upon them?

ATCP Fast Open in the Strip TCP options

BEthernet SGT Protection

CStream ID in the IP Option Drop options

DRecord Route in IP Option Drop options

Answer : B

Cisco TrustSec technology uses Security Group Tags (SGTs) to enforce access controls on Layer 2 traffic. When implementing Zone Protection on a Palo Alto Networks firewall in an environment with Cisco TrustSec, you should configure Ethernet SGT Protection. This setting ensures that the firewall can recognize SGTs in Ethernet frames and apply the appropriate actions based on the configured policies. The use of Ethernet SGT Protection in conjunction with TrustSec is covered in advanced firewall configuration documentation and in interoperability guides between Palo Alto Networks and Cisco systems.

Question 3

An administrator is building Security rules within a device group to block traffic to and from malicious locations.

How should those rules be configured to ensure that they are evaluated with a high priority?

ACreate the appropriate rules with a Block action and apply them at the top ol the Security Pre-Rules.

BCreate the appropriate rules with a Block action and apply them at the top of the Security Post-Rules.

CCreate the appropriate rules with a Block action and apply them at the top of the local firewall Security rules.

DCreate the appropriate rules with a Block action and apply them at the top of the Default Rules.

Answer : A

In Palo Alto Networks firewalls, the order of rule evaluation is critical for traffic enforcement. To ensure high priority evaluation, rules should be configured at the top of the rulebase so they are matched before others. The Security Pre-Rules are designed for shared policies across multiple device groups in Panorama, and by placing the block action rules at the top of the Pre-Rules, it guarantees that these rules are evaluated first, before any device-specific or post-rules. For verification, please refer to the Palo Alto Networks 'PAN-OS Administrator's Guide' or the official configuration documentation for Panorama and device group rules.

Question 4

Which three statements accurately describe Decryption Mirror? (Choose three.)

ADecryption Mirror requires a tap interface on the firewall

BUse of Decryption Mirror might enable malicious users with administrative access to the firewall to harvest sensitive information that is submitted via an encrypted channel

COnly management consent is required to use the Decryption Mirror feature.

DDecryption, storage, inspection, and use of SSL traffic are regulated in certain countries.

EYou should consult with your corporate counsel before activating and using Decryption Mirror in a production environment.

Answer : B, D, E

Decryption Mirror is a feature that allows a Palo Alto Networks firewall to send a copy of decrypted traffic to an external security device or tool for further analysis. The potential risk associated with Decryption Mirror is that if the firewall administrator's credentials are compromised, a malicious user could potentially access sensitive decrypted information. Hence, it's advised to be cautious and ensure proper handling of this feature.

Additionally, laws and regulations regarding the decryption, storage, inspection, and use of SSL/TLS encrypted traffic vary by country and industry. It is crucial to ensure compliance with relevant laws and best practices when using Decryption Mirror. This often requires consultation with corporate legal counsel to understand the implications and ensure that the use of such features does not violate privacy laws or regulatory requirements.

The need for administrative consent and the legal implications of using Decryption Mirror features are outlined in Palo Alto Networks' 'PAN-OS Administrator's Guide' and best practice documentation. It is not specifically required to have a tap interface to use Decryption Mirror, which eliminates option A. Option C is incorrect because it is not just management consent but legal compliance that needs to be considered.

Question 5

What can the Log Forwarding built-in action with tagging be used to accomplish?

ABlock the source zones of selected unwanted traffic.

BBlock the destination IP addresses of selected unwanted traffic.

CForward selected logs to the Azure Security Center.

DBlock the destination zones of selected unwanted traffic.

Answer : B

The Log Forwarding feature in Palo Alto Networks firewalls allows administrators to perform automated actions based on logs. One of the actions that can be configured is to tag an IP address, which can then be used in conjunction with Dynamic Address Groups (DAG) to enforce security policies. By tagging the destination IP addresses of unwanted traffic, an administrator can dynamically update policies to block traffic to those destinations.

This method is particularly useful for responding quickly to detected threats by creating and enforcing a policy that blocks traffic to tagged destinations without the need for manual intervention or policy changes. For a detailed explanation, the Palo Alto Networks' 'PAN-OS Administrator's Guide' provides information on log forwarding and automated actions.

Question 6

An engineer configures a new template stack for a firewall that needs to be deployed. The template stack should consist of four templates arranged according to the diagram

Which template values will be configured on the firewall If each template has an SSL/TLS Service profile configured named Management?

AValues in Chicago

BValues in efw01lab.chi

CValues in Datacenter

DValues in Global Settings

Answer : B

Question 7

An engineer needs to collect User-ID mappings from the company's existing proxies.

What two methods can be used to pull this data from third party proxies? (Choose two.)

AClient probing

BSyslog

CXFF Headers

DServer Monitoring

Answer : B, C

To collect User-ID information from third-party proxies, Palo Alto Networks supports several methods of integrating user information. Syslog parsing allows the firewall to receive syslog messages from external services, parse them, and extract user information. X-Forwarded-For (XFF) headers, which are used in HTTP requests and proxies, can carry the original IP address of a client connecting through a proxy, and this information can be used by the firewall to map the user IDs.

Syslog is commonly used for integrating third-party devices like proxies with User-ID, and XFF headers are specifically mentioned in the context of integrating user mappings from HTTP traffic. Client probing and Server Monitoring are not the correct methods for pulling data from third-party proxies. For further details, refer to the Palo Alto Networks documentation on User-ID integration and the 'PAN-OS Administrator's Guide'.

Palo Alto Networks Certified Security Engineer PAN-OS 11.0 Exam Practice Test