Palo Alto Networks PCNSC Exam Dumps & Practice Test Questions
Question 1
TAC has requested a packet capture (PCAP) from your Panorama to help diagnose sporadic DNS resolution issues involving FQDNs. Which CLI command should you run to capture the necessary traffic?
A. tcpdump snaplen 53 filter “port 53”
B. tcpdump snaplen 0 filter “app dns”
C. tcpdump snaplen 0 filter “port 53”
D. tcpdump snaplen 53 filter “tcp 53”
Answer: C
Explanation:
To capture DNS traffic, which typically involves UDP communication on port 53, you need to configure the packet capture with the appropriate filters. Let’s break down the options:
A. tcpdump snaplen 53 filter “port 53” – This option specifies a snaplen (the maximum packet size to capture) of 53 bytes, but this isn’t ideal for capturing full DNS traffic, as DNS queries and responses can be larger than 53 bytes. Therefore, A is incorrect.
B. tcpdump snaplen 0 filter “app dns” – The “app dns” filter would capture traffic associated with the DNS application, which may be useful for capturing DNS traffic at the application level. However, the snaplen value of 0 (which indicates unlimited capture size) is fine, but this is less specific compared to directly filtering on the port. Thus, B could work but isn’t the most accurate in this case.
C. tcpdump snaplen 0 filter “port 53” – This option is the most accurate and efficient. By specifying “port 53”, you are targeting DNS traffic on both TCP and UDP. The snaplen of 0 allows the capture of the full packet, which is ideal for troubleshooting DNS issues. Therefore, C is correct.
D. tcpdump snaplen 53 filter “tcp 53” – This would capture only TCP traffic on port 53. However, DNS typically uses UDP for queries, so this filter would miss important DNS packets. Therefore, D is incorrect.
In conclusion, the best command to run in this case is C, which will capture DNS traffic on both UDP and TCP port 53, providing the necessary data for diagnosis.
Question 2
During a firewall migration using Expedition, the service “ping” is marked as invalid and is used in several policies. What should the engineer do to fix this?
A. Create an Application Override to map the ping service to the ping application
B. Remove all policies referencing the ping service
C. Ignore the invalid service warning in Expedition
D. Use Expedition’s search and replace to substitute the ping service with the ping application
Answer: D
Explanation:
When migrating firewall configurations using tools like Expedition, it is common for certain services (like "ping") to be marked as invalid due to differences in how services are represented in different firewall versions or setups. Let’s go through the options:
A. Create an Application Override to map the ping service to the ping application – An Application Override would be used in scenarios where you want to map an application to a service in order to modify traffic inspection. While it could help in some cases, it is not the most straightforward or appropriate solution for resolving the "ping" service issue. Therefore, A is incorrect.
B. Remove all policies referencing the ping service – Removing policies that reference the invalid "ping" service could lead to a loss of functionality, as the ping service might still be needed for network diagnostics or connectivity testing. Therefore, B is incorrect.
C. Ignore the invalid service warning in Expedition – Ignoring warnings about invalid services is not a good practice, especially when migrating firewall configurations. Ignoring these warnings may lead to incomplete or ineffective policies. Therefore, C is incorrect.
D. Use Expedition’s search and replace to substitute the ping service with the ping application – The most effective solution in this case is to use Expedition’s search and replace feature to automatically substitute the old, invalid "ping" service with the appropriate ping application. This ensures that the migration preserves the necessary functionality while aligning with the correct object structure. Therefore, D is correct.
In conclusion, the best course of action is D, using Expedition’s search and replace to fix the invalid "ping" service by substituting it with the ping application.
Question 3
After enabling SSL decryption, users report a specific application feature has stopped working. What’s the best place to begin troubleshooting SSL decryption issues?
A. Correlated Events log
B. Traffic log's "session end reason" field
C. CLI command: less mp-log ikemgr.log
D. Decryption log
Answer: D
Explanation:
SSL decryption issues can be complex and impact various aspects of network communication. When users report application issues after enabling SSL decryption, the best place to begin troubleshooting is the Decryption log.
Let’s examine the options:
A. Correlated Events log – The Correlated Events log provides insights into security incidents or patterns across different logs and systems, but it’s not specifically focused on SSL decryption issues. It's useful for identifying overall patterns of events but doesn't offer direct information about SSL decryption failures. Therefore, A is incorrect.
B. Traffic log's "session end reason" field – The session end reason in the traffic log could provide helpful insights regarding the termination of sessions, such as whether a session was dropped or ended due to a protocol issue. However, SSL decryption issues are better diagnosed in the Decryption log, where specific details of the decryption process (such as certificate errors, decryption failures, etc.) are captured. Therefore, B is incorrect.
C. CLI command: less mp-log ikemgr.log – The mp-log ikemgr.log file is related to the IKE (Internet Key Exchange) process, which is part of VPN management. While this log might show information related to tunnel establishment or security protocols, it’s not directly related to SSL decryption problems. Therefore, C is incorrect.
D. Decryption log – The Decryption log is the best place to troubleshoot SSL decryption issues. It specifically logs events related to SSL decryption and can reveal any failures in the decryption process, such as issues with certificates, unsupported protocols, or traffic being blocked due to SSL inspection settings. This log provides the most relevant information for resolving SSL decryption issues. Therefore, D is correct.
In conclusion, D (Decryption log) is the best starting point for troubleshooting SSL decryption issues.
Question 4
Which of the following is essential information when planning a Panorama hardware appliance deployment to manage firewalls?
A. Virtual routers, zones, and dataplane interface settings
B. ESXi location and Panorama routing details
C. Physical setup including wiring, power, and management access
D. Panorama mode, number of firewalls, and resource allocations (CPU, RAM)
Answer: D
Explanation:
When planning a Panorama deployment, the focus is typically on how the Panorama appliance will manage firewalls, so it’s crucial to understand both the technical and resource requirements. Let’s review each option:
A. Virtual routers, zones, and dataplane interface settings – While these are important considerations when managing a firewall, they are typically configured on the firewalls themselves, not directly related to the Panorama deployment. Therefore, A is incorrect.
B. ESXi location and Panorama routing details – The location of the ESXi server and routing details may be important in the context of deployment, but these are typically secondary considerations compared to the fundamental hardware and resource allocation requirements for the Panorama appliance. Therefore, B is incorrect.
C. Physical setup including wiring, power, and management access – Physical setup is important for ensuring that Panorama has the necessary infrastructure to function, but when planning a deployment, the hardware resource allocation (e.g., CPU, RAM) and Panorama mode (whether you’re using Panorama in a centralized or distributed mode) are more essential to determining how Panorama will manage the firewalls. Therefore, C is incorrect.
D. Panorama mode, number of firewalls, and resource allocations (CPU, RAM) – This is the most essential information when planning a Panorama hardware appliance deployment. Understanding the deployment mode (centralized or distributed), the number of firewalls that Panorama will manage, and the required resources (CPU, RAM) will help ensure that the Panorama appliance is appropriately sized and capable of handling the workload. These factors are critical to designing an effective Panorama deployment that can scale with the network’s needs. Therefore, D is correct.
In conclusion, D (Panorama mode, number of firewalls, and resource allocations) is essential information when planning a Panorama hardware appliance deployment.
Question 5
Which additional license is needed to enable Host Information Profiles (HIP) on Palo Alto firewalls?
A. Threat Prevention
B. WildFire
C. GlobalProtect Gateway
D. IoT Security
Answer: C
Explanation:
Host Information Profiles (HIP) are used to collect and assess endpoint information to make policy decisions based on the security posture of endpoints. This feature is primarily associated with Palo Alto Networks' GlobalProtect solution, which provides secure remote access to the network.
Here’s the breakdown of each option:
A. Threat Prevention – While Threat Prevention licenses are essential for enabling various threat detection features like intrusion prevention and anti-virus, they are not directly related to enabling HIP. HIP is more associated with monitoring the posture of devices through the GlobalProtect Gateway, not threat prevention. Therefore, A is incorrect.
B. WildFire – WildFire is a cloud-based service that analyzes files and identifies unknown malware. While WildFire is important for detecting malware, it does not have a direct relationship with the Host Information Profile (HIP) feature, which is more focused on device posture. Therefore, B is incorrect.
C. GlobalProtect Gateway – The GlobalProtect Gateway license is required to enable Host Information Profiles (HIP) on Palo Alto Networks firewalls. GlobalProtect is responsible for providing secure access to mobile devices and remote users, and HIP is integrated within this framework to assess endpoint security posture. Therefore, C is correct.
D. IoT Security – IoT Security is a separate feature that focuses on managing and securing IoT devices within the network, but it does not directly affect HIP, which is focused on endpoint posture and not specifically on IoT devices. Therefore, D is incorrect.
In conclusion, the correct answer is C (GlobalProtect Gateway), as it is the license required to enable Host Information Profiles (HIP) on Palo Alto firewalls.
Question 6
What is the default communication port used by the Terminal Services Agent (TSA) to connect with the firewall?
A. 5009
B. 5007
C. 636
D. 443
Answer: A
Explanation:
The Terminal Services Agent (TSA) is a component used by Palo Alto Networks firewalls to monitor and control terminal service traffic (like RDP or Citrix), particularly in environments where such services are being used remotely. The TSA communicates with the firewall to inspect and enforce security policies for terminal service sessions.
Let's break down each option:
A. 5009 – The default communication port used by the Terminal Services Agent (TSA) to connect with the Palo Alto firewall is 5009. This port is specifically designated for the TSA connection and communication with the firewall for session monitoring and control. Therefore, A is correct.
B. 5007 – Port 5007 is used for different types of traffic and is not the default port for TSA communication. Therefore, B is incorrect.
C. 636 – Port 636 is commonly used for LDAPS (LDAP over SSL), which is not related to the TSA communication. Therefore, C is incorrect.
D. 443 – Port 443 is used for HTTPS traffic and is commonly used for secure web-based communication, but it is not the default port for TSA. Therefore, D is incorrect.
In conclusion, the default port used by the Terminal Services Agent (TSA) is A (5009).
Question 7
SSL Forward Proxy is active, but users don’t get browser warnings when visiting HTTPS sites with bad certificates. Which two steps are needed to make browsers display warnings with an option to proceed? (Choose two.)
A. Create a PKI-signed certificate for Forward Untrust
B. Generate a self-signed Forward Untrust certificate
C. Enable the “Block sessions with expired certificates” setting in the Decryption Profile
D. Disable the Forward Untrust role from the Forward Trust certificate
Answer: B, C
Explanation:
SSL Forward Proxy is a feature that allows Palo Alto Networks firewalls to decrypt and inspect SSL/TLS traffic by acting as a proxy. When users visit HTTPS sites with invalid or untrusted certificates, you want to ensure they are warned by their browsers and given an option to proceed.
Let’s break down the steps needed to achieve this:
A. Create a PKI-signed certificate for Forward Untrust – A PKI-signed certificate for the Forward Untrust role is typically used to provide a valid, trusted certificate for sites that are part of a trusted forward proxy chain. However, this does not trigger browser warnings for invalid certificates, which is the goal in this scenario. Therefore, A is incorrect.
B. Generate a self-signed Forward Untrust certificate – A self-signed Forward Untrust certificate will allow the firewall to act as the Certificate Authority (CA) when intercepting and re-signing the certificates for sites with invalid or untrusted certificates. This means browsers can then detect the certificate mismatch and trigger a warning. This is one of the steps required to force the browser to display warnings. Therefore, B is correct.
C. Enable the “Block sessions with expired certificates” setting in the Decryption Profile – The “Block sessions with expired certificates” setting ensures that the firewall blocks connections if an SSL certificate is expired. By blocking expired certificates, the firewall forces browsers to show warnings or prevent users from connecting. This setting ensures proper handling of certificate errors and adds to the browser warning behavior. Therefore, C is correct.
D. Disable the Forward Untrust role from the Forward Trust certificate – The Forward Trust certificate is typically the certificate used for trusted SSL connections. Disabling the Forward Untrust role from this certificate does not affect browser warnings for invalid certificates. Therefore, D is incorrect.
In conclusion, to make browsers display warnings with an option to proceed, you need to B (Generate a self-signed Forward Untrust certificate) and C (Enable the “Block sessions with expired certificates” setting in the Decryption Profile).
Question 8
Your customer is implementing Active/Active HA on a pair of PA-5260s. They want even session distribution, use NAT, and rely on dynamic routing. Which three configurations are required to meet these needs? (Choose three.)
A. Configure HA1A, HA1B, and HA2 interfaces
B. Use HA1A, HA1B, HA2, and HA3 interfaces
C. Set session selection to “Primary Device”
D. Enable Active/Active HA Binding in NAT policies
E. Choose “First Packet” as the session selection algorithm
Answer: B, D, E
Explanation:
In Active/Active HA configurations, the goal is to distribute sessions evenly across both devices and handle the dynamic routing and NAT processes efficiently. Let’s review the necessary configurations:
A. Configure HA1A, HA1B, and HA2 interfaces – HA1A and HA1B are used for communication between the firewalls, while HA2 is used for synchronization of session information. However, in an Active/Active HA setup, you typically need HA3 for better session distribution and redundancy. Therefore, A is incorrect.
B. Use HA1A, HA1B, HA2, and HA3 interfaces – In an Active/Active HA configuration, you need the HA1A, HA1B, HA2, and HA3 interfaces to allow proper communication, session distribution, and synchronization. HA3 is essential in this setup for handling session synchronization across both devices. Therefore, B is correct.
C. Set session selection to “Primary Device” – Setting the session selection to “Primary Device” means that all sessions will be directed to the primary device. However, this approach doesn’t distribute sessions evenly in Active/Active HA. To achieve even session distribution, a different approach is required. Therefore, C is incorrect.
D. Enable Active/Active HA Binding in NAT policies – Enabling Active/Active HA Binding in NAT policies is crucial for ensuring that NAT policies are properly distributed and function correctly in an Active/Active HA environment. This ensures that both firewalls are used effectively for handling NAT translations. Therefore, D is correct.
E. Choose “First Packet” as the session selection algorithm – In Active/Active HA, selecting “First Packet” as the session selection algorithm ensures that the session is assigned to the first device that handles the initial packet of the session. This allows for even session distribution across both devices, improving load balancing. Therefore, E is correct.
In conclusion, the necessary configurations for an Active/Active HA setup with even session distribution, NAT, and dynamic routing are B (Use HA1A, HA1B, HA2, and HA3 interfaces), D (Enable Active/Active HA Binding in NAT policies), and E (Choose “First Packet” as the session selection algorithm).
Question 9
An administrator wants to allow specific users to access a sensitive internal application only during business hours using GlobalProtect. Which feature should be used to enforce this time-based access policy?
A. Security Policy with HIP Profile
B. User-ID and URL Filtering Profile
C. GlobalProtect App Configuration
D. Security Policy with Scheduled Access Control
Answer: D
Explanation:
To enforce time-based access control for specific users accessing a sensitive application, the Scheduled Access Control feature is the best option. Here’s why:
A. Security Policy with HIP Profile – Host Information Profiles (HIP) allow you to enforce security checks on the endpoint device before allowing access to the network. While useful for posture-based access controls (e.g., checking if the device has antivirus installed), HIP profiles do not directly control access based on time. Therefore, A is not the correct answer.
B. User-ID and URL Filtering Profile – User-ID allows for user-based access control and URL Filtering is useful for restricting access to specific URLs. However, these features do not provide a mechanism for enforcing time-based access, which is specifically what is needed in this scenario. Therefore, B is incorrect.
C. GlobalProtect App Configuration – The GlobalProtect App Configuration provides settings related to the GlobalProtect client’s behavior and how it connects to the firewall. While the app configuration controls how users connect to GlobalProtect, it does not enforce time-based access rules. Therefore, C is also incorrect.
D. Security Policy with Scheduled Access Control – The Scheduled Access Control feature within Security Policies allows the administrator to define specific time windows during which access is allowed. By using a scheduled rule, the administrator can restrict access to the sensitive internal application only during business hours. This is the correct feature for implementing the desired time-based access control. Therefore, D is the correct answer.
In conclusion, D (Security Policy with Scheduled Access Control) is the correct option for enforcing time-based access policies for specific users through GlobalProtect.
Question 10
A network engineer needs to verify whether the Palo Alto firewall is receiving logs from a syslog server. Which CLI command can be used to check the log forwarding status?
A. show system log forwarding
B. show log system
C. show log forwarding-status
D. debug log-receiver status
Answer: C
Explanation:
To verify whether the Palo Alto firewall is receiving logs from a syslog server, you need to check the log forwarding status. Let’s review the options:
A. show system log forwarding – This command shows the system’s log forwarding settings but does not provide specific information about the status of log forwarding from a syslog server. Therefore, A is not the correct command for verifying log receipt.
B. show log system – This command displays the system logs on the Palo Alto firewall, but it does not provide specific information about the status of log forwarding or log reception from a syslog server. Therefore, B is not the correct answer.
C. show log forwarding-status – This is the correct command to check the log forwarding status and verify whether the firewall is receiving logs from the syslog server. This command will show the status of log forwarding, including any issues related to the connection between the firewall and the syslog server. Therefore, C is the correct answer.
D. debug log-receiver status – This command is related to debugging and monitoring the log receiver status. While it can be used to diagnose issues with log reception, it is not the standard command for verifying general log forwarding status. Therefore, D is not the correct choice.
In conclusion, C (show log forwarding-status) is the correct command to verify the log forwarding status from the syslog server.
