PCNSE QUESTIONS AND ANSWER
GRADED A+
2 ways to Reset to Factory default - ✔✔* from CLI with known password
. request system private-data-reset
* from CLI without PW
reboot and type "maint" during bootup
choose Reset to factory default
or load another config into running memory
DNS and NTP are configured where? - ✔✔Device > Setup > Services
where do you configure service routes - ✔✔device > setup > services > service route
configuration
name of the running config - ✔✔running-config.xml
where do you manage configurations - ✔✔device > setup > operations
Steps needed prior to firewall being usable - ✔✔* register with PA
* activate licenses
* verify update and DNS
* manage content updates
* install software updates
where is Pan-OS software updates - ✔✔device > software
where do you define an interface management profile - ✔✔network > network profiles
> interface mgmt > add
What are the four major components that enable threat prevetion - ✔✔* Natively
integrated technologies that leverage single pass prevention architecture, support open
communication
* Automated creation and delivery of protection mechanisms
*Extensibility and flexibility
* Threat inelligence sharing
, Throughput in a PA 7080 - ✔✔App-ID firewall throughput 200Gps
Threat prevention throughput 100 Gbps
Throughput of a PA7050 - ✔✔App-id throughput 120 Gbps
Threat prevention 60 Gbps
throughput of a PA 5280/5260 - ✔✔App-id thoughput 68 Gbps
threat prevention throughput 30 gbps
throughput of a PA5250 - ✔✔app-id throughput 39 gbps
threat prevention 20 gbps
throughput of a PA5220 - ✔✔App-id 18gbps
threat prevention 9 gbps
Describe HA active/passive deployment - ✔✔recommended, single firewall config
synched between the two firewalls.
Synchronization happens across HA1 connection
Session data is kept on both firewalls via HA2
Describe HA active/active deployment - ✔✔two firewalls attached with 3 cables, HA1,
HA2, HA3. only recommended for load balancing
Identify ways to mitigate resource exhaustion - ✔✔*Denial of Service Policy - ,more
granular for specific resources
* Zone Protection Profiles (ZZP) - coveres AE zone
Why are denial of service protections applied by zone? - ✔✔* DOS protections are
applied very early in the processing before a lot of information is known about the
connection but the ingress interface is already known
* Because DOS protections are only applied when manually turned on to avoid quota
overload (which would make a DOS attack easier)
Which feature never requires a Decryption policy? - ✔✔Network address translation
How can the NGFW inform web browsers that a web server's certificate is from an
unknown certificate authority (CA)? - ✔✔Have two certificate authority certificates in
the firewall. One is used to produce certificates for sites whose original certificate is
trusted, and the other for certificates for sites whose original certificate is untrusted.
what type of identification is disabled by application override - ✔✔App-ID
what are two ways you can control unknown applications - ✔✔* Create a custom
application with a custom signature
GRADED A+
2 ways to Reset to Factory default - ✔✔* from CLI with known password
. request system private-data-reset
* from CLI without PW
reboot and type "maint" during bootup
choose Reset to factory default
or load another config into running memory
DNS and NTP are configured where? - ✔✔Device > Setup > Services
where do you configure service routes - ✔✔device > setup > services > service route
configuration
name of the running config - ✔✔running-config.xml
where do you manage configurations - ✔✔device > setup > operations
Steps needed prior to firewall being usable - ✔✔* register with PA
* activate licenses
* verify update and DNS
* manage content updates
* install software updates
where is Pan-OS software updates - ✔✔device > software
where do you define an interface management profile - ✔✔network > network profiles
> interface mgmt > add
What are the four major components that enable threat prevetion - ✔✔* Natively
integrated technologies that leverage single pass prevention architecture, support open
communication
* Automated creation and delivery of protection mechanisms
*Extensibility and flexibility
* Threat inelligence sharing
, Throughput in a PA 7080 - ✔✔App-ID firewall throughput 200Gps
Threat prevention throughput 100 Gbps
Throughput of a PA7050 - ✔✔App-id throughput 120 Gbps
Threat prevention 60 Gbps
throughput of a PA 5280/5260 - ✔✔App-id thoughput 68 Gbps
threat prevention throughput 30 gbps
throughput of a PA5250 - ✔✔app-id throughput 39 gbps
threat prevention 20 gbps
throughput of a PA5220 - ✔✔App-id 18gbps
threat prevention 9 gbps
Describe HA active/passive deployment - ✔✔recommended, single firewall config
synched between the two firewalls.
Synchronization happens across HA1 connection
Session data is kept on both firewalls via HA2
Describe HA active/active deployment - ✔✔two firewalls attached with 3 cables, HA1,
HA2, HA3. only recommended for load balancing
Identify ways to mitigate resource exhaustion - ✔✔*Denial of Service Policy - ,more
granular for specific resources
* Zone Protection Profiles (ZZP) - coveres AE zone
Why are denial of service protections applied by zone? - ✔✔* DOS protections are
applied very early in the processing before a lot of information is known about the
connection but the ingress interface is already known
* Because DOS protections are only applied when manually turned on to avoid quota
overload (which would make a DOS attack easier)
Which feature never requires a Decryption policy? - ✔✔Network address translation
How can the NGFW inform web browsers that a web server's certificate is from an
unknown certificate authority (CA)? - ✔✔Have two certificate authority certificates in
the firewall. One is used to produce certificates for sites whose original certificate is
trusted, and the other for certificates for sites whose original certificate is untrusted.
what type of identification is disabled by application override - ✔✔App-ID
what are two ways you can control unknown applications - ✔✔* Create a custom
application with a custom signature
