Palo Alto Networks Certified Network Security Administrator PCNSA (PCNSA) — Questions 526529

529 questions total · 8pages · All types, answers revealed

Page 7

Page 8 of 8

526
MCQmedium

A company has a decryption policy that decrypts all traffic except for traffic to financial sites. However, users report that some financial sites are still being decrypted. What should the admin check first?

A.The decryption policy rule order
B.The firewall's system logs
C.The certificate revocation status
D.The SSL/TLS service profile settings
AnswerA

Rules are evaluated top-down; a decrypt rule above the no-decrypt rule will match first.

Why this answer

The decryption policy is evaluated in order from top to bottom, and the first matching rule is applied. If a rule that decrypts traffic is placed above the rule that excludes financial sites, traffic to those sites will be decrypted before reaching the exclusion rule. The admin should check the rule order to ensure the financial site exclusion rule is positioned above any decrypting rules.

Exam trap

The trap here is that candidates often assume the issue is with certificates or logs, overlooking the fundamental first-match policy evaluation order that directly causes the described behavior.

How to eliminate wrong answers

Option B is wrong because system logs record events after policy enforcement, but they do not affect the policy order; the issue is a misconfiguration in the policy sequence, not a logging deficiency. Option C is wrong because certificate revocation status (CRL/OCSP) is checked during SSL/TLS handshake validation, not for determining which traffic to decrypt; it is unrelated to policy rule ordering. Option D is wrong because SSL/TLS service profile settings define cipher suites and protocol versions for decryption, not the traffic matching logic that determines which sites are decrypted or excluded.

527
MCQhard

A company has a PA-5250 firewall in an active/passive HA pair. During a maintenance window, the administrator upgrades the passive firewall from PAN-OS 10.0 to 10.1. After the upgrade, the passive firewall fails to synchronize with the active firewall. The active firewall remains at 10.0. What is the most likely cause?

A.The HA2 link is down or misconfigured
B.The HA keepalive timer is misconfigured
C.The passive firewall has preemption enabled
D.The PAN-OS versions are different between the HA peers
AnswerD

HA peers must run the same PAN-OS version for sync.

Why this answer

PAN-OS requires both HA peers to run the same major version to synchronize configuration and state. The active firewall at PAN-OS 10.0 and the passive at 10.1 are incompatible, preventing HA synchronization. Even though the passive firewall was upgraded, the active firewall remains on the older version, breaking the HA session.

Exam trap

The trap here is that candidates may focus on connectivity or timer issues (options A or B) rather than recognizing that PAN-OS enforces strict version matching for HA synchronization, even if the passive firewall is upgraded correctly.

How to eliminate wrong answers

Option A is wrong because an HA2 link issue would cause a loss of heartbeat and configuration synchronization, but the question states the passive firewall fails to synchronize after an upgrade, not a link failure. Option B is wrong because the HA keepalive timer controls heartbeat intervals, not version compatibility; a misconfigured timer would cause flapping or timeout, not a persistent sync failure. Option C is wrong because preemption controls which firewall becomes active after a failure, not synchronization; it would not prevent the passive from syncing with the active.

528
MCQmedium

A university uses a Palo Alto firewall for outbound SSL decryption. The IT helpdesk receives complaints that students cannot access certain educational resource websites (e.g., online libraries, research databases) after decryption was enabled. The firewall logs show 'decryption failure' for these sites with reason 'certificate validation failure'. The decryption profile is set to 'Block sessions with expired certificates' and 'Block sessions with untrusted issuers'. The helpdesk verifies that the root CA certificate is installed on all endpoints. The issue is intermittent and only affects a few sites. What should the administrator do?

A.Update the firewall's certificate revocation list (CRL).
B.Add the websites to a decryption policy exception rule.
C.Disable blocking for untrusted issuers in the decryption profile.
D.Use a decryption profile that allows sessions with certificate status unknown.
AnswerD

Intermittent validation failures often stem from unreachable CRL/OCSP; allowing unknown status lets the firewall decrypt the session.

Why this answer

The correct answer is D because the 'decryption failure' with 'certificate validation failure' and 'certificate status unknown' indicates that the firewall cannot determine the revocation status of the site's certificate (e.g., no CRL or OCSP responder reachable). The current decryption profile blocks sessions with expired certificates and untrusted issuers, but it does not explicitly block sessions with 'certificate status unknown'. By using a decryption profile that allows sessions with certificate status unknown, the firewall will permit the SSL handshake to proceed even when revocation checking fails, resolving the intermittent access issues for those specific educational sites.

Exam trap

The trap here is that candidates confuse 'certificate status unknown' with 'untrusted issuer' or 'expired certificate', leading them to choose options that disable broader security controls (like untrusted issuer blocking) instead of the specific setting that addresses the revocation check failure.

How to eliminate wrong answers

Option A is wrong because updating the CRL would not help if the certificate's revocation status is 'unknown' (i.e., the CRL or OCSP responder is unreachable or the certificate is not listed); the issue is not a stale CRL but a failure to obtain any revocation status. Option B is wrong because adding the websites to a decryption policy exception rule would bypass decryption entirely, which is an overreaction and would defeat the purpose of outbound SSL decryption for security monitoring; the issue is specific to certificate validation, not a need to exclude the sites from decryption. Option C is wrong because disabling blocking for untrusted issuers would allow sessions with certificates from untrusted CAs, but the logs indicate 'certificate validation failure' with 'certificate status unknown', not that the issuer is untrusted; this would weaken security unnecessarily and not address the root cause.

529
MCQmedium

A company is experiencing performance issues due to large amounts of encrypted traffic. They want to offload decryption to a dedicated appliance but still maintain visibility. Which feature should they configure on the Palo Alto Networks firewall?

A.SSL Decryption with a dedicated decryption broker.
B.SSL Forward Proxy with decryption mirroring.
C.Decryption port mirroring.
D.TLS 1.3 decryption.
AnswerA

A decryption broker offloads SSL/TLS decryption to a dedicated appliance, reducing firewall load while maintaining visibility.

Why this answer

Option C is correct because the decryption broker offloads decryption to a dedicated appliance. Option A is decryption mirroring, not offloading. Option B is just a protocol version.

Option D is port mirroring, not decryption offloading.

Page 7

Page 8 of 8

All pages