PCNSE Exam Domain 1 (PLAN)
A Panorama template stack contains two templates and one configuration setting has a different
value in each template. When Panorama pushes the template stack to the managed firewalls,
which setting value will the firewalls receive? - ANS - Value from the top template of the stack
\A potential customer says it wants to maximize the threat detection capability of its
next-generation firewall. Which three additional services should it consider implementing to
enhance its firewall's capability to detect threats? - ANS - WildFire
URL Filtering
DNS Security
\A private cloud has 20 VLANs spread over five ESXi hypervisors, managed by a single
vCenter. How many firewall VMs are needed to implement microsegmentation? - ANS - Five
\A virtual router can use a Redistribution Profile to share routers between which three routing
protocols? - ANS - 1. OSPF
2. BGP
3. Static
\A VM-Series firewall differs from a physical Palo Alto Networks firewall in which way? - ANS - A
VM-Series firewall supports fewer traffic interface types
\An App-ID used in an Application Override policy rule should have which characteristics? - ANS
- New App-ID with no signature information
\Application Override is triggered by which configuration setting? - ANS - Application Override
policy rule
\For and external device to consume a local User-ID-to-IP-address mapping table, which data is
used for authentication between the devices? - ANS - Source device's User-ID Collector Name
and Pre-shared Key
\For which two places do you configure flood protection? - ANS - 1. DoS Protection Profile
2. Zone Protection Profile
\For which two reasons are denial-of-service protections applied by zone? - ANS - 1. Because
denial DoS protections are applied early in the processing, before much information is known
about the connection but when the ingress interface is already known
2. Because DoS protections are applied only when manually turned on to avoid quota overload
(which would make DoS easier)
\From where can you buy and download a VM-Series virtual firewall appliance for a public cloud
deployment? - ANS - Could vendor's "Solution Marketplace"
\How are firewalls configurations in an active/passive HA pair synchronized if the firewalls are
not under Panorama control? - ANS - An administrator commits the change to one, which
automatically synchronizes with the other
\How are log retention periods on Palo Alto Networks firewalls increased? - ANS - Forward logs
to external Log Collectors
\How can the next-generation firewall inform web browsers that a web server's certificate is from
an unknown CA? - ANS - Have two CA certs in the firewall, one used to produce certs for sites
A Panorama template stack contains two templates and one configuration setting has a different
value in each template. When Panorama pushes the template stack to the managed firewalls,
which setting value will the firewalls receive? - ANS - Value from the top template of the stack
\A potential customer says it wants to maximize the threat detection capability of its
next-generation firewall. Which three additional services should it consider implementing to
enhance its firewall's capability to detect threats? - ANS - WildFire
URL Filtering
DNS Security
\A private cloud has 20 VLANs spread over five ESXi hypervisors, managed by a single
vCenter. How many firewall VMs are needed to implement microsegmentation? - ANS - Five
\A virtual router can use a Redistribution Profile to share routers between which three routing
protocols? - ANS - 1. OSPF
2. BGP
3. Static
\A VM-Series firewall differs from a physical Palo Alto Networks firewall in which way? - ANS - A
VM-Series firewall supports fewer traffic interface types
\An App-ID used in an Application Override policy rule should have which characteristics? - ANS
- New App-ID with no signature information
\Application Override is triggered by which configuration setting? - ANS - Application Override
policy rule
\For and external device to consume a local User-ID-to-IP-address mapping table, which data is
used for authentication between the devices? - ANS - Source device's User-ID Collector Name
and Pre-shared Key
\For which two places do you configure flood protection? - ANS - 1. DoS Protection Profile
2. Zone Protection Profile
\For which two reasons are denial-of-service protections applied by zone? - ANS - 1. Because
denial DoS protections are applied early in the processing, before much information is known
about the connection but when the ingress interface is already known
2. Because DoS protections are applied only when manually turned on to avoid quota overload
(which would make DoS easier)
\From where can you buy and download a VM-Series virtual firewall appliance for a public cloud
deployment? - ANS - Could vendor's "Solution Marketplace"
\How are firewalls configurations in an active/passive HA pair synchronized if the firewalls are
not under Panorama control? - ANS - An administrator commits the change to one, which
automatically synchronizes with the other
\How are log retention periods on Palo Alto Networks firewalls increased? - ANS - Forward logs
to external Log Collectors
\How can the next-generation firewall inform web browsers that a web server's certificate is from
an unknown CA? - ANS - Have two CA certs in the firewall, one used to produce certs for sites
