PCNSC Palo Alto Networks Certified Network Security Consultant Questions and Answers

To match the App-ID adoption task with its order in the process, follow these steps:

Perform a like-for-like (Layer 3/4) migration from the legacy firewall to the Palo Alto Networks NGFW.

This is the initial step to ensure that the Palo Alto Networks NGFW is in place and functioning with the existing security policies.

Capture, retain, and verify that all traffic has been logged for a period of time.

This step involves enabling logging and monitoring traffic to understand the application usage and to ensure that all traffic is being logged.

Clone the legacy rules and add application information to the intended application-based rules.

This step involves creating copies of the existing rules and enhancing them with application-specific information using App-ID.

Verify that no traffic is hitting the legacy rules.

After creating application-based rules, ensure that traffic is now hitting these new rules instead of the legacy rules. This indicates that the transition to App-ID based policies is successful.

Remove the legacy rules.

Once it is confirmed that no traffic is hitting the legacy rules and the new App-ID based rules are effectively managing the traffic, the legacy rules can be safely removed.

Order in Process:

Perform a like-for-like (Layer 3/4) migration from the legacy firewall to the Palo Alto Networks NGFW.

Capture, retain, and verify that all traffic has been logged for a period of time.

Clone the legacy rules and add application information to the intended application-based rules.

Verify that no traffic is hitting the legacy rules.

Remove the legacy rules.

References:

Palo Alto Networks - App-ID Best Practices: https://docs.paloaltonetworks.com/best-practices

Palo Alto Networks - Migration from Legacy Firewalls: https://docs.paloaltonetworks.com/migration

To non-disruptively monitor traffic coming from a port operating in promiscuous mode, the appropriate firewall interface type is:

D. TAP

A TAP (Test Access Point) interface allows the firewall to passively monitor network traffic without interfering with the actual flow of traffic. It is used to capture and analyze traffic for inspection, logging, and threat detection.

References:

Palo Alto Networks - TAP Mode: https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/networking/network-interface-configurations/tap-mode

If a firewall that was previously connected to a User-ID agent server now shows disconnected, the likely cause is:

D. The firewall was upgraded to a PAN-OS version that is not compatible with the agent version

When a firewall is upgraded to a new version of PAN-OS, there can be compatibility issues with the existing User-ID agent if it is not updated accordingly. This can result in the firewall being unable to communicate with the User-ID agent, showing it as disconnected.

References:

Palo Alto Networks - User-ID Agent Compatibility: https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/user-id/user-id-agent

In Panorama, security rules are evaluated in a specific order to determine which rule applies to the traffic. The correct evaluation order is as follows:

Shared pre-rules (evaluated first)

Device group pre-rules (evaluated second)

Local firewall rules (evaluated third)

Device group post-rules (evaluated fourth)

Shared post-rules (evaluated fifth)

This order ensures that the most generic rules (shared across all devices) are evaluated first, followed by more specific rules at the device group and local firewall levels, and then the post-rules.

References:

Palo Alto Networks - Panorama Admin Guide: https://docs.paloaltonetworks.com/panorama/10-0/panorama-admin/policy/policy-precedence-and-evaluation-order

Palo Alto Networks - Security Policy Evaluation: https://knowledgebase.paloaltonetworks.com

To create a secure Antivirus Profile to address a virus spreading internally over SMB, the administrator should choose the following set of actions for the SMB decoder:

B. Action - Reset-Both; Wildfire Action - Reset-Both

Choosing "Reset-Both" for both the Antivirus Action and the Wildfire Action ensures that the connection is terminated on both the client and server sides whenever a virus is detected. This action helps prevent the spread of the virus by cutting off the infected connection immediately.

References:

Palo Alto Networks - Antivirus Profile Best Practices: https://docs.paloaltonetworks.com/best-practices

Palo Alto Networks - Creating and Configuring Antivirus Profiles: https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/threat-prevention/antivirus-profiles

To start using Device-ID to obtain policy rule recommendations, the customer needs to purchase:

A. a Cortex Data Lake license

The Cortex Data Lake is a cloud-based logging service that aggregates data from all Palo Alto Networks products and services. Device-ID uses this data to provide insights and recommendations for policy rules based on the identities of devices on the network.

References:

Palo Alto Networks - Cortex Data Lake: https://docs.paloaltonetworks.com/cortex/cortex-data-lake

Palo Alto Networks - Device-ID Overview: https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/policy/use-device-id-to-enforce-policy

The interface deployments that support the Aggregate Ethernet (AE) Active configuration are:

B. LACP in Layer 3 : Link Aggregation Control Protocol (LACP) can be used in Layer 3 interfaces to bundle multiple physical interfaces into a single logical interface for redundancy and increased bandwidth.

C. LACP in Layer 2 : LACP can be used in Layer 2 interfaces to aggregate multiple Ethernet interfaces, enhancing throughput and providing failover capabilities within a Layer 2 network.

D. LACP in Virtual Wire : LACP can also be configured in Virtual Wire mode, which allows the firewall to aggregate interfaces while operating in a transparent mode, bridging traffic between interfaces without routing.

These configurations leverage LACP to improve network performance and reliability by combining multiple physical links into a single logical link.

References:

Palo Alto Networks - Aggregate Interfaces: https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/networking/aggregate-ethernet/aggregate-ethernet-overview

Palo Alto Networks - LACP and LLDP Support: https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/networking/aggregate-ethernet/lacp-and-lldp-support

To delete all of the unused address objects on the firewall, the best method is:

B. Using CLI execute request configuration address-objects remove-unused-objects

This CLI command is designed to identify and remove all unused address objects in the firewall's configuration. It is the most efficient and accurate method for cleaning up unused objects without manually checking each one.

References:

Palo Alto Networks - PAN-OS CLI Quick Start: https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-cli-quick-start

Palo Alto Networks - Removing Unused Address Objects: https://knowledgebase.paloaltonetworks.com

For a customer who wishes to actively use multiple pathways to the same destination, the recommended routing configuration is:

B. ECMP (Equal-Cost Multi-Path)

ECMP allows the use of multiple paths to the same destination with equal cost metrics, enabling load balancing and redundancy. It is suitable for scenarios where multiple pathways are desired for traffic distribution and fault tolerance.

References:

Palo Alto Networks - ECMP Overview: https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-networking-admin/ecmp

Palo Alto Networks - Configuring ECMP: https://knowledgebase.paloaltonetworks.com