Ask Question
PCNSC: Palo Alto Networks Certified Network Security Consultant
Palo Alto Networks
Exam Questions:
60
.png)
2.370 Learners
Related questions
An existing customer who has deployed several Palo Alto Networks Next-Generation Firewalls would like to start using Device-ID to obtain policy rule recommendations They have also purchased a Support license, a Threat license a URL Filtering license, and a WildFire license for each firewall
What additional license do they need to purchase'?
Unlock Premium Member
A customer is adding a new site-to-site tunnel from a Palo Alto Networks NGFW to a third party with a policy based VPN peer After the initial configuration is completed and the changes are committed, phase 2 fails to establish
Which two changes may be required to fix the issue? (Choose two)
Explanation:
When configuring a site-to-site VPN between a Palo Alto Networks Next-Generation Firewall (NGFW) and a third-party device with a policy-based VPN peer, Phase 2 failures can often be attributed to configuration mismatches or missing parameters. Here are the two changes that may be required to fix the issue:
B . Verify that PFS is enabled on both ends: Perfect Forward Secrecy (PFS) is a method that ensures the security of cryptographic keys. Both ends of the VPN tunnel need to agree on whether PFS is used. If PFS is enabled on one side but not the other, Phase 2 will fail. Verify the PFS settings and ensure they are matched on both the Palo Alto firewall and the third-party VPN device.
D . Add proxy IDs to the IPsec tunnel configuration: Proxy IDs (or traffic selectors) define the specific local and remote IP ranges that are allowed to communicate through the VPN tunnel. They are particularly crucial when dealing with policy-based VPNs. If the proxy IDs are not correctly configured, Phase 2 negotiations will fail. Add the appropriate proxy IDs to the IPsec tunnel configuration to match the policy-based VPN settings of the third-party device.
Palo Alto Networks - Configuring Site-to-Site VPN Between Palo Alto Networks and a Third-Party Firewall: https://docs.paloaltonetworks.com
Palo Alto Networks - VPN Configuration Guidelines: https://knowledgebase.paloaltonetworks.com
Which of the following WildFire action settings will ensure that a malicious file is quarantined and prevented from spreading?
How can you verify that a new security policy is correctly blocking traffic without disrupting the network?
A customer's Palo Alto Networks NGFW currently has only one security policy allowing all traffic They have identified that this is a substantial security risk and have heard that the Expedition tool can help them extract security policies from an 'allow any' rule
What should the consultant say about Expedition?
Explanation:
The Expedition tool can help the customer extract security policies from an 'allow any' rule by using its Machine Learning feature:
B . By using the Machine Learning feature, Expedition can parse the traffic log files related to the policy and extract security rules for matching traffic
Expedition can analyze traffic log files and apply machine learning algorithms to suggest security policies that match the observed traffic patterns. This helps in creating a more secure and granular policy set from a broad 'allow any' rule.
Palo Alto Networks - Expedition Documentation: https://live.paloaltonetworks.com/t5/expedition-migration-tool/ct-p/migration_tool
Palo Alto Networks - Using Machine Learning in Expedition: https://live.paloaltonetworks.com/t5/expedition-articles/expedition-machine-learning-overview/ta-p/260401
What is the maximum number of virtual systems supported by a Palo Alto Networks VM-300 firewall?
Which firewall interface type allows you to non-disruptively monitor traffic coming from a port operating in promiscuous mode?
Which touting configuration should you recommend lo a customer who wishes lo actively use multiple pathways to the same destination?
In an HA (High Availability) setup, what is the purpose of the HA3 link?
Which of the following is NOT a benefit of using App-ID?
Question