PCNSE Free Practice Test

An engineer must configure the Decryption Broker feature
Which Decryption Broker security chain supports bi-directional traffic flow?

1. A. Layer 2 security chain
2. B. Layer 3 security chain
3. C. Transparent Bridge security chain
4. D. Transparent Proxy security chain

Correct Answer: B
Together, the primary and secondary interfaces form a pair of decryption forwarding interfaces. Only interfaces that you have enabled to be Decrypt Forward interfaces are displayed here. Your security chain type (Layer 3 or Transparent Bridge) and the traffic flow direction (unidirectional or bidirectional) determine which of the two interfaces forwards allowed, clear text traffic to the security chain, and which interface receives the traffic back from the security chain after it has undergone additional enforcement.

What is a correct statement regarding administrative authentication using external services with a local authorization method?

1. A. Prior to PAN-OS 10.2. an administrator used the firewall to manage role assignments, but access domains have not been supported by this method.
2. B. Starting with PAN-OS 10.2. an administrator needs to configure Cloud Identity Engine to use external authentication services for administrative authentication.
3. C. The administrative accounts you define locally on the firewall serve as references to the accounts defined on an external authentication server.
4. D. The administrative accounts you define on an external authentication server serve as references to the accounts defined locally on the firewall.

Correct Answer: B

An engineer receives reports from users that applications are not working and that websites are only partially loading in an asymmetric environment. After investigating, the engineer observes the flow_tcp_non_syn_drop counter increasing in the show counters global output.
Which troubleshooting command should the engineer use to work around this issue?

1. A. set deviceconfig setting tcp asymmetric-path drop
2. B. set deviceconfig setting session tcp-reject-non-syn no
3. C. set session tcp-reject-non-syn yes
4. D. set deviceconfig setting tcp asymmetric-path bypass

Correct Answer: B
To work around this issue, one possible troubleshooting command is set deviceconfig setting session
tcp-reject-non-syn no which disables TCP reject non-SYN temporarily (until reboo4t). This command allows non-SYN first packet through without dropping it.
The flow_tcp_non_syn_drop counter increases when the firewall receives packets with the ACK flag set, but not the SYN flag, which indicates asymmetric traffic flow. The tcp-reject-non-syn option enables or disables the firewall to drop non-SYN TCP packets. In this case, disabling the tcp-reject-non-syn option using the "set deviceconfig setting session tcp-reject-non-syn no" command can help work around the issue. This allows the firewall to accept non-SYN packets and create a session for the existing flow.

A firewall engineer creates a new App-ID report under Monitor > Reports > Application Reports > New Application to monitor new applications on the network and better assess any Security policy updates the engineer might want to make.
How does the firewall identify the New App-ID characteristic?

1. A. It matches to the New App-IDs downloaded in the last 30 days.
2. B. It matches to the New App-IDs downloaded in the last 90 days
3. C. It matches to the New App-IDs installed since the last time the firewall was rebooted
4. D. It matches to the New App-IDs in the most recently installed content releases.

Correct Answer: D
When creating a new App-ID report under Monitor > Reports > Application Reports > New Application, the firewall identifies new applications based on the New App-IDs in the most recently installed content releases. The New App-IDs are the application signatures that have been added in the latest content release, which can be found under Objects > Security Profiles > Application. This allows the engineer to monitor any new applications that have been added to the firewall's database and evaluate whether to allow or block them with a Security policy update.

An engineer wants to configure aggregate interfaces to increase bandwidth and redundancy between the firewall and switch. Which statement is correct about the configuration of the interfaces assigned to an aggregate interface group?

1. A. They can have a different bandwidth.
2. B. They can have a different interface type such as Layer 3 or Layer 2.
3. C. They can have a different interface type from an aggregate interface group.
4. D. They can have different hardware media such as the ability to mix fiber optic and copper.

Correct Answer: C