An administrator receives the following error message: "IKE phase-2 negotiation failed when processing Proxy ID. Received local id 192.168 33 33/24 type IPv4 address protocol 0 port 0, received remote id 172.16 33.33/24 type IPv4 address protocol 0 port 0." How should the administrator identify the root cause of this error message?
Correct Answer: D
Explanation According to the Palo Alto Networks documentation , the error message "IKE phase-2 negotiation failed when processing Proxy ID" indicates that there is a mismatch between the Proxy ID settings on the two VPN peers. Proxy ID is used to identify the traffic that needs to be encrypted and tunneled. It consists of the local and remote IP addresses, protocols, and ports. If the Proxy ID settings do not match on both VPN peers, the phase-2 negotiation will fail. Therefore, the administrator should check whether the VPN peer on one end is set up correctly using policy-based VPN, which allows specifying the Proxy ID settings manually2. Therefore, the correct answer is C. The other options are not relevant or helpful for identifying the root cause of this error message: In the IKE Gateway configuration, verify that the IP address for each VPN peer is accurate: This option would help to identify the root cause of a phase-1 negotiation failure, not a phase-2 negotiation failure. The IP address for each VPN peer is used to establish the IKE gateway, which is part of the phase-1 negotiation. If the IP address is inaccurate, the phase-1 negotiation will fail and the error message will be different. Verify that the IP addresses can be pinged and that routing issues are not causing the connection failure: This option would also help to identify the root cause of a phase-1 negotiation failure, not a phase-2 negotiation failure. The ability to ping and route between the IP addresses of the VPN peers is a prerequisite for establishing the IKE gateway, which is part of the phase-1 negotiation. If there are routing issues or connectivity problems, the phase-1 negotiation will fail and the error message will be different. In the IPSec Crypto profile configuration, verify that PFS is either enabled on both VPN peers or disabled on both VPN peers: This option would help to identify the root cause of a different phase-2 negotiation failure, not the one related to Proxy ID mismatch. PFS stands for Perfect Forward Secrecy, which is an option to generate a new encryption key for each IPSec session. If PFS is enabled on one VPN peer but disabled on another, the phase-2 negotiation will fail and the error message will be "IKEv2 IPSec SA negotiation failed. Invalid syntax."3. References: 1: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClbXCAS 2: https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/vpn/site-to-site-vpn/set-up-a-site-to-site-vpn-betwee 3: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClZSCA0
PCNSE Exam Question 52
A firewall administrator wants to have visibility on one segment of the company network. The traffic on the segment is routed on the Backbone switch. The administrator is planning to apply Security rules on segment X after getting the visibility. There is already a PAN-OS firewall used in L3 mode as an internet gateway, and there are enough system resources to get extra traffic on the firewall. The administrator needs to complete this operation with minimum service interruptions and without making any IP changes. What is the best option for the administrator to take?
Correct Answer: A
Explanation A TAP interface is a dedicated interface on the firewall that can be connected to a switch SPAN or mirror port to passively monitor traffic flows across a network. A TAP interface provides application visibility and threat detection without being in the flow of network traffic. A TAP interface does not require any IP changes or service interruptions on the network segment . Option B is incorrect because vwire interfaces are used to create virtual wires that transparently connect two network segments. Vwire interfaces require physical cabling changes and may cause service interruptions on the network segment . Option C is incorrect because a Layer 3 interface is used to route traffic between different subnets. A Layer 3 interface requires IP changes and may cause service interruptions on the network segment . Option D is incorrect because a new vsys is used to create a virtual system that can have its own set of policies and objects. A new vsys does not provide visibility or security for a specific network segment
PCNSE Exam Question 53
After implementing a new NGFW, a firewall engineer sees a VoIP traffic issue going through the firewall Aftertroubleshooting the engineer finds that the firewallperforms NAT on the voice packets payload and opens dynamic pinholes for media ports What can the engineer do to solve the VoIP traffic issue?
Correct Answer: D
Explanation According to the Palo Alto Networks documentation1, application-level gateway (ALG) is a feature that allows the firewall to inspect and modify the payload of some protocols, such as SIP, to enable NAT traversal and firewall policy enforcement. However, ALG can also cause issues with some VoIP implementations, such as modifying the SIP headersincorrectly or opening unnecessary pinholes for media ports. Therefore, disabling ALG under SIP application can help solve the VoIP traffic issue by preventing the firewall from altering the voice packets payload and opening dynamic pinholes . Therefore, the correct answer is D. The other options are not relevant or helpful for solving the VoIP traffic issue: Disable ALG under H.323 application: This option would disable ALG for H.323 protocol, which is another VoIP protocol, but not the one used in this scenario. The scenario mentions SIP as the signaling protocol, so disabling ALG under H.323 application would have no effect on the VoIP traffic issue. Increase the TCP timeout under H.323 application: This option would increase the TCP timeout for H.323 protocol, which is another VoIP protocol, but not the one used in this scenario. The scenario mentions SIP as the signaling protocol, which uses UDP by default, so increasing the TCP timeout under H.323 application would have no effect on the VoIP traffic issue. Increase the TCP timeout under SIP application: This option would increase the TCP timeout for SIP protocol, which is the signaling protocol used in this scenario. However, SIP uses UDP by default, so increasing the TCP timeout would have no effect on the VoIP traffic issue. Moreover, increasing the TCP timeout would not address the problem of NAT on the voice packets payload and dynamic pinholes for media ports. References: 1: https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/app-id/disable-the-sip-application-level-gateway-alg 2: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClEsCAK
PCNSE Exam Question 54
A firewall administrator has been tasked with ensuring that all Panorama configuration is committed and pushed to the devices at the end of the day at a certain time. How can they achieve this?
Correct Answer: D
Explanation https://docs.paloaltonetworks.com/panorama/10-2/panorama-admin/manage-firewalls/schedule-a-configuration-p Log in to the PanoramaWeb Interface. Create a scheduled configuration push. Select PanoramaScheduled Config Push and Add a new scheduled configuration push. You can also schedule a configuration push to managed firewalls when you push to devices (CommitPush to Devices).
PCNSE Exam Question 55
An administrator has configured PAN-OS SD-WAN and has received a request to find out the reason for a session failover for a session that has already ended Where would you find this in Panorama or firewall logs?
