PCNSE Online Practice Questions and Answers

Correct Answer: AD

Correct Answer: D

A certificate with only the Forward Trust option selected is required for SSL Forward Proxy decryption, which is the most common type of SSL decryption deployment. A certificate with both the Forward Trust and Forward Untrust options selected is required for SSL Inbound Inspection decryption, which is less common. A Decryption profile is not required before any traffic that matches an SSL decryption rule is decrypted, but it is recommended to apply one to control how the firewall handles traffic that cannot be decrypted.

References: https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/threat-prevention/decryption/decryption-concepts/ssl-forward-proxy https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/threat-prevention/decryption/decryption-concepts/ssl-inbound-inspection https://docs.paloaltonetworks.com/best-practices/10-1/decryption-best-practices/decryption-best-practices/deploy-ssl-decryption-using-best-practices

Correct Answer: ABE

https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/networking/configure-interfaces/virtual-wire-interfaces

"The virtual wire supports blocking or allowing traffic based on virtual LAN (VLAN) tags, in addition to supporting security policy rules, App-ID, Content-ID, User-ID, decryption, LLDP, active/passive and active/active HA, QoS, zone protection (with some exceptions), non-IP protocol protection, DoS protection, packet buffer protection, tunnel content inspection, and NAT."

Correct Answer: A

The heartbeat interval determines the frequency at which the HA peers exchange messages in the form of an ICMP (ping). The default value is 1000 milliseconds (1 second). The heartbeat interval is used to detect failures and trigger fail over in an HA pair The other options are not correct. The hello interval determines the frequency at which the HA peers exchange messages in the form of an HA packet. The default value is 3000 milliseconds (3 seconds). The hello interval is used to establish and maintain HA connectivity The promotion hold time determines the amount of time that a passive firewall waits before it becomes active after detecting a failure on the active firewall. The default value is 5000 milliseconds (5 seconds) The monitor fail hold up time determines the amount of time that a firewall waits before it declares a monitor failure after detecting a link down event on an interface. The default value is 2000 milliseconds (2 seconds)

References: https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/high-availability/ha-concepts/ha-timers

Correct Answer: B

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClFGCA0

Correct Answer: D

https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-web-interface-help/panorama-web-interface/panorama-scheduled-config-export "Select the protocol to use to export logs from Panorama to a remote host. Secure Copy (SCP) is a secure protocol; FTP is not."

Correct Answer: AB

Correct Answer: B

The **IKE crypto profile** is used to set up the encryption and authentication algorithms used for the key exchange process in IKE Phase 1, and lifetime of the keys, which specifies how long the keys are valid. To invoke the profile, you must attach it to the IKE Gateway configuration.

The **IPSec crypto profile** is invoked in IKE Phase 2. It specifies how the data is secured within the tunnel when Auto Key IKE is used to automatically generate keys for the IKE SAs.

Correct Answer: AD

https://docs.paloaltonetworks.com/panorama/9-1/panorama-admin/panorama- overview/centralized-firewall-configuration-and-update-management/device-groups/device- group-hierarchy

Correct Answer: B

https://www.paloaltonetworks.com/documentation/70/pan-os/pan-os/url- filtering/url-filtering-profile-actions

Correct Answer: A

https://docs.paloaltonetworks.com/pan-os/8-0/pan-os-admin/user-id/map-ip- addresses-to-users/configure-user-mapping-for-terminal-server-users

Correct Answer: A

https://docs.paloaltonetworks.com/vm-series/10-0/vm-series-deployment/set- up-the-vm-series-firewall-on-nsx/set-up-the-vm-series-firewall-on-vmware-nsx/dynamically- quarantine-infected-guests.html#id8e9a242e-e038-4ba2-b0eaeaaf53690be0

Correct Answer: B

http://live.paloaltonetworks.com//t5/image/serverpage/image- id/12862i950F549C7D4E6309

Correct Answer: ABC

Correct Answer:

Plan to defend your network against different types of DoS attacks:

Application-Based Attacks

--Target weaknesses in a particular application and try to exhaust its resources so legitimate users can't use it. An example of this is the Slowloris attack.

Protocol-Based Attacks

--Also known as state-exhaustion attacks, these attacks target protocol weaknesses. A common example is a SYN flood attack.

Volumetric Attacks

--High-volume attacks that attempt to overwhelm the available network resources, especially bandwidth, and bring down the target to prevent legitimate users from accessing those resources. An example of this is a UDP flood attack.

https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/zone-protection-and-dos-protection/zone-defense.html