Palo Alto Networks: PCNSE Practice
Exam Questions
A company hosts a publicly accessible web application on a server that resides in the Trust-L3
zone. The web server is associated with the following IP addresses: Web Server Public IP:
2.2.2.1 (UntrustL3 zone) and Web Server Private IP: 192.168.1.10 (TrustL3 zone). The security
administrator configures the following two-zone U Turn NAT rule to allow users using
10.10.1.0/24 inside the "TrustL3" zone to access the web server using its public IP address.
Which statement is true in this situation? (See question 49) - ANS - The traffic will be considered
intra-zone based on the translated destination zone.
\A company is deploying a pair of firewalls in an environment requiring support for asymmetric
routing. Which High Availability (HA) mode best supports this design requirement? - ANS -
Active-Active
\A company is planning to upgrade their PA-820 firewalls to a larger platform to support their
need for eight 10Gb SFP+ interfaces. Which two platforms will support their requirement? - ANS
- PA-3250
PA-3260
\A company needs to preconfigure firewalls to be sent to remote sites with the least amount of
effort. Once deployed, each firewall must establish secure tunnels back to multiple regional data
centers to include the future regional data centers. Which VPN configuration would adapt to
changes when deployed to the future site? - ANS - GlobalProtect Satellite
\A company uses Active Directory and RADIUS to capture User-ID information and implement
user-based policies to control web access. There are many Linux and Mac computers in the
environment that do not have IP -address-to-user mappings. What is the best way to collect
user information for those systems? - ANS - Use Captive Portal to capture user information
\A company wants to run their pair of firewalls in a High Availability active/passive mode and will
be using HA-Lite. Which capability can be used in this situation? - ANS - Configuration Sync
\A company wants to use their Active Directory groups to simplify their Security policy creation
from Panorama. Which configuration is necessary in order to be able to select user groups
directly inside Panorama policies? - ANS - Configure a master device within the device group
\A customer has a requirement for a hardware firewall that supports at least two virtual systems
(vsys). Which platform would be the smallest one to meet the requirement? - ANS - PA-3220
\A customer has an application that is being identified as unknown-tcp for one of their custom
PostgreSQL database connections. Which two configuration options can be used to correctly
categorize their custom database application? - ANS - Custom Application
Application Override Policy
\A Management Profile to allow SSH access has been created and applied to interface
ethernet1/1. A security rule with the action "deny" is applied to packets from "any" source zone
to "any" destination zone. What will happen when someone attempts to initiate an SSH
connection to ethernet1/1? - ANS - SSH access to the interface will be denied because of the
above mentioned rule.
, SSH access to the interface will be denied because intra-zone traffic is denied.
\A network administrator needs to view the default action for a specific spyware signature. The
administrator follows the tabs and menus through Objects > Security Profiles > Anti-Spyware
and selects the default Profile. What should be done next? - ANS - Click the Exceptions tab and
then click Show all signatures.
\A Palo Alto Networks firewall has been configured with multiple virtual systems and is
administered by multiple personnel. Several administrators are logged into the firewall and are
making configuration changes to separate virtual systems at the same time. Which option will
ensure that no single administrator's changes are interrupted or undone by another
administrator while still allowing all administrators to complete their changes prior to issuing a
commit? - ANS - Each administrator sets a configuration and commit lock for the vsys to which
they are making changes.
\A Palo Alto Networks firewall is being targeted by a DoS attack from the Internet that is creating
a flood of bogus TCP connections to internal servers behind the firewall. This traffic is allowed
by security policies, and other than creating half open TCP connections, it is indistinguishable
from legitimate inbound traffic. Which Zone Protection Profile with SYN Flood Protection action,
when enabled with the correct threshold, would mitigate this attack without dropping legitimate
traffic? - ANS - SYN Cookies applied on the internet facing zone
\A Palo Alto Networks firewall is configured with a NAT policy rule that performs the following
source translation: Which packet capture filters need to be configured to match c2s and s2c
traffic in the Transmit stage for a session originating from 192.168.1.10 in the "Trust-L3" zone to
2.2.2.2 in the "Untrust-L3" zone? (See question 29) - ANS - Filter 1 source 1.1.1.1 destination
2.2.2.2 Filter 2 source 2.2.2.2 destination 192.168.1.10
\A security engineer has been asked by management to optimize how Palo Alto Networks
firewall syslog messages are forwarded to a syslog receiver. Each firewall is configured to
forward syslogs individually. The security engineer wants to leverage their two Panorama
appliances to send syslog messages from a single source and has already deployed one
appliance in Panorama mode and the other as a Log Collector. - ANS - Configure Collector Log
Forwarding
\A Security Operations Center (SOC) has been provided a list of 10,000 malicious URLs. They
were asked not to share this list outside of the organization. The Chief Information Security
Officer has requested that all user access to these URLs be filtered and blocked immediately to
prevent potential breaches. However, the inline Palo Alto Networks firewall is NOT licensed for
URL Filtering. What is an efficient method for blocking access to these URLs? - ANS - Import
the URLs to a Custom URL Category and reference the URL Category in a Security policy rule
set to deny.
\A Security policy accepts new FTP traffic sessions between 8:00 a.m. and 5:00 p.m. What
happens to an already accepted and running FTP session at 5:01 p.m.? - ANS - The session
continues to run, because already accepted sessions are not re-evaluated
\A USCERT notification is published regarding a newly discovered piece of malware. The
infection is spread using spear phishing emails that prompt users to click an HTTP hyperlink,
which then downloads the malware. Palo Alto Networks has just released signatures to detect
this malware as a high severity threat and the firewall is configured to dynamically update to the
latest databases automatically. Which component and implementation will detect and prevent
Exam Questions
A company hosts a publicly accessible web application on a server that resides in the Trust-L3
zone. The web server is associated with the following IP addresses: Web Server Public IP:
2.2.2.1 (UntrustL3 zone) and Web Server Private IP: 192.168.1.10 (TrustL3 zone). The security
administrator configures the following two-zone U Turn NAT rule to allow users using
10.10.1.0/24 inside the "TrustL3" zone to access the web server using its public IP address.
Which statement is true in this situation? (See question 49) - ANS - The traffic will be considered
intra-zone based on the translated destination zone.
\A company is deploying a pair of firewalls in an environment requiring support for asymmetric
routing. Which High Availability (HA) mode best supports this design requirement? - ANS -
Active-Active
\A company is planning to upgrade their PA-820 firewalls to a larger platform to support their
need for eight 10Gb SFP+ interfaces. Which two platforms will support their requirement? - ANS
- PA-3250
PA-3260
\A company needs to preconfigure firewalls to be sent to remote sites with the least amount of
effort. Once deployed, each firewall must establish secure tunnels back to multiple regional data
centers to include the future regional data centers. Which VPN configuration would adapt to
changes when deployed to the future site? - ANS - GlobalProtect Satellite
\A company uses Active Directory and RADIUS to capture User-ID information and implement
user-based policies to control web access. There are many Linux and Mac computers in the
environment that do not have IP -address-to-user mappings. What is the best way to collect
user information for those systems? - ANS - Use Captive Portal to capture user information
\A company wants to run their pair of firewalls in a High Availability active/passive mode and will
be using HA-Lite. Which capability can be used in this situation? - ANS - Configuration Sync
\A company wants to use their Active Directory groups to simplify their Security policy creation
from Panorama. Which configuration is necessary in order to be able to select user groups
directly inside Panorama policies? - ANS - Configure a master device within the device group
\A customer has a requirement for a hardware firewall that supports at least two virtual systems
(vsys). Which platform would be the smallest one to meet the requirement? - ANS - PA-3220
\A customer has an application that is being identified as unknown-tcp for one of their custom
PostgreSQL database connections. Which two configuration options can be used to correctly
categorize their custom database application? - ANS - Custom Application
Application Override Policy
\A Management Profile to allow SSH access has been created and applied to interface
ethernet1/1. A security rule with the action "deny" is applied to packets from "any" source zone
to "any" destination zone. What will happen when someone attempts to initiate an SSH
connection to ethernet1/1? - ANS - SSH access to the interface will be denied because of the
above mentioned rule.
, SSH access to the interface will be denied because intra-zone traffic is denied.
\A network administrator needs to view the default action for a specific spyware signature. The
administrator follows the tabs and menus through Objects > Security Profiles > Anti-Spyware
and selects the default Profile. What should be done next? - ANS - Click the Exceptions tab and
then click Show all signatures.
\A Palo Alto Networks firewall has been configured with multiple virtual systems and is
administered by multiple personnel. Several administrators are logged into the firewall and are
making configuration changes to separate virtual systems at the same time. Which option will
ensure that no single administrator's changes are interrupted or undone by another
administrator while still allowing all administrators to complete their changes prior to issuing a
commit? - ANS - Each administrator sets a configuration and commit lock for the vsys to which
they are making changes.
\A Palo Alto Networks firewall is being targeted by a DoS attack from the Internet that is creating
a flood of bogus TCP connections to internal servers behind the firewall. This traffic is allowed
by security policies, and other than creating half open TCP connections, it is indistinguishable
from legitimate inbound traffic. Which Zone Protection Profile with SYN Flood Protection action,
when enabled with the correct threshold, would mitigate this attack without dropping legitimate
traffic? - ANS - SYN Cookies applied on the internet facing zone
\A Palo Alto Networks firewall is configured with a NAT policy rule that performs the following
source translation: Which packet capture filters need to be configured to match c2s and s2c
traffic in the Transmit stage for a session originating from 192.168.1.10 in the "Trust-L3" zone to
2.2.2.2 in the "Untrust-L3" zone? (See question 29) - ANS - Filter 1 source 1.1.1.1 destination
2.2.2.2 Filter 2 source 2.2.2.2 destination 192.168.1.10
\A security engineer has been asked by management to optimize how Palo Alto Networks
firewall syslog messages are forwarded to a syslog receiver. Each firewall is configured to
forward syslogs individually. The security engineer wants to leverage their two Panorama
appliances to send syslog messages from a single source and has already deployed one
appliance in Panorama mode and the other as a Log Collector. - ANS - Configure Collector Log
Forwarding
\A Security Operations Center (SOC) has been provided a list of 10,000 malicious URLs. They
were asked not to share this list outside of the organization. The Chief Information Security
Officer has requested that all user access to these URLs be filtered and blocked immediately to
prevent potential breaches. However, the inline Palo Alto Networks firewall is NOT licensed for
URL Filtering. What is an efficient method for blocking access to these URLs? - ANS - Import
the URLs to a Custom URL Category and reference the URL Category in a Security policy rule
set to deny.
\A Security policy accepts new FTP traffic sessions between 8:00 a.m. and 5:00 p.m. What
happens to an already accepted and running FTP session at 5:01 p.m.? - ANS - The session
continues to run, because already accepted sessions are not re-evaluated
\A USCERT notification is published regarding a newly discovered piece of malware. The
infection is spread using spear phishing emails that prompt users to click an HTTP hyperlink,
which then downloads the malware. Palo Alto Networks has just released signatures to detect
this malware as a high severity threat and the firewall is configured to dynamically update to the
latest databases automatically. Which component and implementation will detect and prevent
