Question No. 1

An administrator receives the following error message:

"IKE phase-2 negotiation failed when processing Proxy ID. Received local id 192.168 33 33/24 type IPv4 address protocol 0 port 0, received remote id 172.16 33.33/24 type IPv4 address protocol 0 port 0."

How should the administrator identify the root cause of this error message?

AIn the IKE Gateway configuration, verify that the IP address for each VPN peer is accurate

BVerify that the IP addresses can be pinged and that routing issues are not causing the connection failure

CCheck whether the VPN peer on one end is set up correctly using policy-based VPN

DIn the IPSec Crypto profile configuration, verify that PFS is either enabled on both VPN peers or disabled on both VPN peers.

Show Answer

Correct Answer: C

https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/vpns/set-up-site-to-site-vpn/interpret-vpn-error-messages

The VPN peer on one end is using policy-based VPN. You must configure a Proxy ID on the Palo Alto Networks firewall. https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/vpns/set-up-site-to-site-vpn/interpret-vpn-error-messages.html

Question No. 2

An administrator is creating a new Dynamic User Group to quarantine users for suspicious activity.

Which two objects can Dynamic User Groups use as match conditions for group membership? (Choose two.)

ASource IP address

BDynamic tags

CStatic tags

DLdap attributes

Show Answer

Correct Answer: A, B

Question No. 3

Which three authentication types can be used to authenticate users? (Choose three.)

ALocal database authentication

BPingID

CKerberos single sign-on

DGlobalProtect client

ECloud authentication service

Show Answer

Correct Answer: A, C, E

The three authentication types that can be used to authenticate users are:

A: Local database authentication.This is the authentication type that uses the local user database on the firewall or Panorama to store and verify user credentials1.

C: Cloud authentication service.This is the authentication type that uses a cloud-based identity provider, such as Okta, PingOne, or PingFederate, to authenticate users and provide SAML assertions to the firewall or Panorama2.

E: Kerberos single sign-on.This is the authentication type that uses the Kerberos protocol to authenticate users who are logged in to a Windows domain and provide them with seamless access to resources on the firewall or Panorama3.

Question No. 4

An administrator configures a preemptive active-passive high availability (HA) pair of firewalls and configures the HA election settings on firewall-02 with a device priority value of 100, and firewall-01 with a device priority value of 90.

When firewall-01 is rebooted, is there any action taken by the firewalls?

ANo - Neither firewall takes any action because firewall-01 cannot be rebooted when configured with device priority of 90.

BNo - Neither firewall takes any action because firewall-02 is already the active-primary member.

CYes - Firewall-02 takes over as the active-primary firewall; firewall-01 takes over as the active-primary member after it becomes functional.

DYes - Firewall-02 takes over as the active-primary firewall; firewall-02 remains the active-primary member after firewall-01 becomes functional.

Show Answer

Correct Answer: C

Question No. 5

Which interface type should a firewall administrator configure as an upstream to the ingress trusted interface when configuring transparent web proxy on a Palo Alto Networks firewall?

ATunnel

BEthernet

CVLAN

DLookback

Show Answer

Correct Answer: C

Free Palo Alto Networks PCNSE Exam Actual Questions

The questions for PCNSE were last updated On Jan 17, 2025